From 97a89d7ecc18271117a585a591c2c45174c47622 Mon Sep 17 00:00:00 2001 From: zhenfei Date: Fri, 20 May 2022 12:30:32 -0400 Subject: [PATCH] polish IOP code base (#24) --- poly-iop/benches/bench.rs | 4 +- poly-iop/src/lib.rs | 15 +- poly-iop/src/structs.rs | 25 +-- poly-iop/src/sum_check/mod.rs | 87 +++++------ poly-iop/src/sum_check/prover.rs | 98 ++++++------ poly-iop/src/sum_check/verifier.rs | 65 ++++---- poly-iop/src/transcript.rs | 58 ++++--- poly-iop/src/virtual_poly.rs | 236 ++++++++++++++++++++++++++--- poly-iop/src/zero_check/mod.rs | 218 +++++--------------------- 9 files changed, 445 insertions(+), 361 deletions(-) diff --git a/poly-iop/benches/bench.rs b/poly-iop/benches/bench.rs index 1886138..0095f52 100644 --- a/poly-iop/benches/bench.rs +++ b/poly-iop/benches/bench.rs @@ -23,7 +23,7 @@ fn bench_sum_check() -> Result<(), PolyIOPErrors> { let (poly, asserted_sum) = VirtualPolynomial::rand(nv, (degree, degree + 1), 2, &mut rng)?; - let poly_info = poly.domain_info.clone(); + let poly_info = poly.aux_info.clone(); let proof = { let start = Instant::now(); for _ in 0..repetition { @@ -84,7 +84,7 @@ fn bench_zero_check() -> Result<(), PolyIOPErrors> { }; let poly = VirtualPolynomial::rand_zero(nv, (degree, degree + 1), 2, &mut rng)?; - let poly_info = poly.domain_info.clone(); + let poly_info = poly.aux_info.clone(); let proof = { let start = Instant::now(); let mut transcript = as ZeroCheck>::init_transcript(); diff --git a/poly-iop/src/lib.rs b/poly-iop/src/lib.rs index 06882a9..8e2fff0 100644 --- a/poly-iop/src/lib.rs +++ b/poly-iop/src/lib.rs @@ -12,12 +12,23 @@ mod zero_check; pub use errors::PolyIOPErrors; pub use sum_check::SumCheck; pub use virtual_poly::VirtualPolynomial; -pub use zero_check::{build_eq_x_r, ZeroCheck}; +pub use zero_check::ZeroCheck; +#[derive(Clone, Debug, Default, Copy)] /// Struct for PolyIOP protocol. -/// It is instantiated with +/// It has an associated type `F` that defines the prime field the multi-variate +/// polynomial operates on. +/// +/// An PolyIOP may be instantiated with one of the following: /// - SumCheck protocol. /// - ZeroCheck protocol. +/// - PermutationCheck protocol. +/// +/// Those individual protocol may have similar or identical APIs. +/// The systematic way to invoke specific protocol is, for example +/// ` as SumCheck>::prove()` pub struct PolyIOP { + /// Associated field + #[doc(hidden)] phantom: PhantomData, } diff --git a/poly-iop/src/structs.rs b/poly-iop/src/structs.rs index 51df44d..f83048e 100644 --- a/poly-iop/src/structs.rs +++ b/poly-iop/src/structs.rs @@ -1,22 +1,10 @@ -//! Structs for polynomials and extensions. +//! This module defines structs that are shared by all sub protocols. use crate::VirtualPolynomial; use ark_ff::PrimeField; -use std::marker::PhantomData; -#[derive(Clone, Debug, Default, PartialEq)] -/// Auxiliary information about the multilinear polynomial -pub struct DomainInfo { - /// max number of multiplicands in each product - pub max_degree: usize, - /// number of variables of the polynomial - pub num_variables: usize, - /// Associated field - #[doc(hidden)] - pub(crate) phantom: PhantomData, -} - -/// Subclaim when verifier is convinced +/// A Subclaim is a claim generated by the verifier at the end of verification +/// when it is convinced. pub struct SubClaim { /// the multi-dimensional point that this multilinear extension is evaluated /// to @@ -25,9 +13,8 @@ pub struct SubClaim { pub expected_evaluation: F, } -/// An IOP proof is a list of messages from prover to verifier -/// through the interactive protocol. -/// It is a shared struct for both sumcheck and zerocheck protocols. +/// An IOP proof is a collections of messages from prover to verifier at each +/// round through the interactive protocol. #[derive(Clone, Debug, Default, PartialEq)] pub struct IOPProof { pub proofs: Vec>, @@ -40,7 +27,7 @@ pub struct IOPProverMessage { pub(crate) evaluations: Vec, } -/// Prover State of a PolyIOP +/// Prover State of a PolyIOP. pub struct IOPProverState { /// sampled randomness given by the verifier pub challenges: Vec, diff --git a/poly-iop/src/sum_check/mod.rs b/poly-iop/src/sum_check/mod.rs index c21ba8f..ae7e143 100644 --- a/poly-iop/src/sum_check/mod.rs +++ b/poly-iop/src/sum_check/mod.rs @@ -1,12 +1,10 @@ //! This module implements the sum check protocol. -//! Currently this is a simple wrapper of the sumcheck protocol -//! from Arkworks. use crate::{ errors::PolyIOPErrors, - structs::{DomainInfo, IOPProof, IOPProverState, IOPVerifierState, SubClaim}, + structs::{IOPProof, IOPProverState, IOPVerifierState, SubClaim}, transcript::IOPTranscript, - virtual_poly::VirtualPolynomial, + virtual_poly::{VPAuxInfo, VirtualPolynomial}, PolyIOP, }; use ark_ff::PrimeField; @@ -18,12 +16,12 @@ mod verifier; /// Trait for doing sum check protocols. pub trait SumCheck { type Proof; - type PolyList; - type DomainInfo; + type VirtualPolynomial; + type VPAuxInfo; type SubClaim; type Transcript; - /// extract sum from the proof + /// Extract sum from the proof fn extract_sum(proof: &Self::Proof) -> F; /// Initialize the system with a transcript @@ -38,7 +36,7 @@ pub trait SumCheck { /// /// The polynomial is represented in the form of a VirtualPolynomial. fn prove( - poly: &Self::PolyList, + poly: &Self::VirtualPolynomial, transcript: &mut Self::Transcript, ) -> Result; @@ -46,7 +44,7 @@ pub trait SumCheck { fn verify( sum: F, proof: &Self::Proof, - domain_info: &Self::DomainInfo, + aux_info: &Self::VPAuxInfo, transcript: &mut Self::Transcript, ) -> Result; } @@ -56,17 +54,15 @@ pub trait SumCheckProver where Self: Sized, { - type PolyList; + type VirtualPolynomial; type ProverMessage; - /// Initialize the prover to argue for the sum of polynomial over - /// {0,1}^`num_vars` - /// - /// The polynomial is represented in the form of a VirtualPolynomial. - fn prover_init(polynomial: &Self::PolyList) -> Result; + /// Initialize the prover state to argue for the sum of the input polynomial + /// over {0,1}^`num_vars`. + fn prover_init(polynomial: &Self::VirtualPolynomial) -> Result; - /// receive message from verifier, generate prover message, and proceed to - /// next round + /// Receive message from verifier, generate prover message, and proceed to + /// next round. /// /// Main algorithm used is from section 3.2 of [XZZPS19](https://eprint.iacr.org/2019/317.pdf#subsection.3.2). fn prove_round_and_update_state( @@ -77,31 +73,33 @@ where /// Trait for sum check protocol verifier side APIs. pub trait SumCheckVerifier { - type DomainInfo; + type VPAuxInfo; type ProverMessage; type Challenge; type Transcript; type SubClaim; - /// initialize the verifier - fn verifier_init(index_info: &Self::DomainInfo) -> Self; + /// Initialize the verifier's state. + fn verifier_init(index_info: &Self::VPAuxInfo) -> Self; - /// Run verifier at current round, given prover message + /// Run verifier for the current round, given a prover message. /// - /// Normally, this function should perform actual verification. Instead, - /// `verify_round` only samples and stores randomness and perform - /// verifications altogether in `check_and_generate_subclaim` at - /// the last step. + /// Note that `verify_round_and_update_state` only samples and stores + /// challenges; and update the verifier's state accordingly. The actual + /// verifications are deferred (in batch) to `check_and_generate_subclaim` + /// at the last step. fn verify_round_and_update_state( &mut self, prover_msg: &Self::ProverMessage, transcript: &mut Self::Transcript, ) -> Result; - /// verify the sumcheck phase, and generate the subclaim + /// This function verifies the deferred checks in the interactive version of + /// the protocol; and generate the subclaim. Returns an error if the + /// proof failed to verify. /// /// If the asserted sum is correct, then the multilinear polynomial - /// evaluated at `subclaim.point` is `subclaim.expected_evaluation`. + /// evaluated at `subclaim.point` will be `subclaim.expected_evaluation`. /// Otherwise, it is highly unlikely that those two will be equal. /// Larger field size guarantees smaller soundness error. fn check_and_generate_subclaim( @@ -112,15 +110,12 @@ pub trait SumCheckVerifier { impl SumCheck for PolyIOP { type Proof = IOPProof; - - type PolyList = VirtualPolynomial; - - type DomainInfo = DomainInfo; - + type VirtualPolynomial = VirtualPolynomial; + type VPAuxInfo = VPAuxInfo; type SubClaim = SubClaim; - type Transcript = IOPTranscript; + /// Extract sum from the proof fn extract_sum(proof: &Self::Proof) -> F { let start = start_timer!(|| "extract sum"); let res = proof.proofs[0].evaluations[0] + proof.proofs[0].evaluations[1]; @@ -145,17 +140,17 @@ impl SumCheck for PolyIOP { /// /// The polynomial is represented in the form of a VirtualPolynomial. fn prove( - poly: &Self::PolyList, + poly: &Self::VirtualPolynomial, transcript: &mut Self::Transcript, ) -> Result { let start = start_timer!(|| "sum check prove"); - transcript.append_domain_info(&poly.domain_info)?; + transcript.append_aux_info(&poly.aux_info)?; let mut prover_state = IOPProverState::prover_init(poly)?; let mut challenge = None; - let mut prover_msgs = Vec::with_capacity(poly.domain_info.num_variables); - for _ in 0..poly.domain_info.num_variables { + let mut prover_msgs = Vec::with_capacity(poly.aux_info.num_variables); + for _ in 0..poly.aux_info.num_variables { let prover_msg = IOPProverState::prove_round_and_update_state(&mut prover_state, &challenge)?; transcript.append_prover_message(&prover_msg)?; @@ -169,18 +164,18 @@ impl SumCheck for PolyIOP { }) } - /// verify the claimed sum using the proof + /// Verify the claimed sum using the proof fn verify( claimed_sum: F, proof: &Self::Proof, - domain_info: &Self::DomainInfo, + aux_info: &Self::VPAuxInfo, transcript: &mut Self::Transcript, ) -> Result { let start = start_timer!(|| "sum check verify"); - transcript.append_domain_info(domain_info)?; - let mut verifier_state = IOPVerifierState::verifier_init(domain_info); - for i in 0..domain_info.num_variables { + transcript.append_aux_info(aux_info)?; + let mut verifier_state = IOPVerifierState::verifier_init(aux_info); + for i in 0..aux_info.num_variables { let prover_msg = proof.proofs.get(i).expect("proof is incomplete"); transcript.append_prover_message(prover_msg)?; IOPVerifierState::verify_round_and_update_state( @@ -218,7 +213,7 @@ mod test { let (poly, asserted_sum) = VirtualPolynomial::rand(nv, num_multiplicands_range, num_products, &mut rng)?; let proof = as SumCheck>::prove(&poly, &mut transcript)?; - let poly_info = poly.domain_info.clone(); + let poly_info = poly.aux_info.clone(); let mut transcript = as SumCheck>::init_transcript(); let subclaim = as SumCheck>::verify( asserted_sum, @@ -241,7 +236,7 @@ mod test { let mut rng = test_rng(); let (poly, asserted_sum) = VirtualPolynomial::::rand(nv, num_multiplicands_range, num_products, &mut rng)?; - let poly_info = poly.domain_info.clone(); + let poly_info = poly.aux_info.clone(); let mut prover_state = IOPProverState::prover_init(&poly)?; let mut verifier_state = IOPVerifierState::verifier_init(&poly_info); let mut challenge = None; @@ -249,7 +244,7 @@ mod test { transcript .append_message(b"testing", b"initializing transcript for testing") .unwrap(); - for _ in 0..poly.domain_info.num_variables { + for _ in 0..poly.aux_info.num_variables { let prover_message = IOPProverState::prove_round_and_update_state(&mut prover_state, &challenge) .unwrap(); @@ -362,7 +357,7 @@ mod test { drop(prover); let mut transcript = as SumCheck>::init_transcript(); - let poly_info = poly.domain_info.clone(); + let poly_info = poly.aux_info.clone(); let proof = as SumCheck>::prove(&poly, &mut transcript)?; let asserted_sum = as SumCheck>::extract_sum(&proof); diff --git a/poly-iop/src/sum_check/prover.rs b/poly-iop/src/sum_check/prover.rs index 78c8a01..81c1060 100644 --- a/poly-iop/src/sum_check/prover.rs +++ b/poly-iop/src/sum_check/prover.rs @@ -1,4 +1,4 @@ -//! Prover +//! Prover subroutines for a SumCheck protocol. use super::SumCheckProver; use crate::{ @@ -15,14 +15,14 @@ use std::rc::Rc; use rayon::iter::{IndexedParallelIterator, IntoParallelRefMutIterator, ParallelIterator}; impl SumCheckProver for IOPProverState { - type PolyList = VirtualPolynomial; + type VirtualPolynomial = VirtualPolynomial; type ProverMessage = IOPProverMessage; - /// Initialize the prover to argue for the sum of polynomial over - /// {0,1}^`num_vars` - fn prover_init(polynomial: &Self::PolyList) -> Result { + /// Initialize the prover state to argue for the sum of the input polynomial + /// over {0,1}^`num_vars`. + fn prover_init(polynomial: &Self::VirtualPolynomial) -> Result { let start = start_timer!(|| "sum check prover init"); - if polynomial.domain_info.num_variables == 0 { + if polynomial.aux_info.num_variables == 0 { return Err(PolyIOPErrors::InvalidParameters( "Attempt to prove a constant.".to_string(), )); @@ -30,14 +30,14 @@ impl SumCheckProver for IOPProverState { end_timer!(start); Ok(Self { - challenges: Vec::with_capacity(polynomial.domain_info.num_variables), + challenges: Vec::with_capacity(polynomial.aux_info.num_variables), round: 0, poly: polynomial.clone(), }) } /// Receive message from verifier, generate prover message, and proceed to - /// next round + /// next round. /// /// Main algorithm used is from section 3.2 of [XZZPS19](https://eprint.iacr.org/2019/317.pdf#subsection.3.2). fn prove_round_and_update_state( @@ -47,8 +47,25 @@ impl SumCheckProver for IOPProverState { let start = start_timer!(|| format!("sum check prove {}-th round and update state", self.round)); + if self.round >= self.poly.aux_info.num_variables { + return Err(PolyIOPErrors::InvalidProver( + "Prover is not active".to_string(), + )); + } + let fix_argument = start_timer!(|| "fix argument"); + // Step 1: + // fix argument and evaluate f(x) over x_m = r; where r is the challenge + // for the current round, and m is the round number, indexed from 1 + // + // i.e.: + // at round m <=n, for each mle g(x_1, ... x_n) within the flattened_mle + // which has already been evaluated to + // + // g(r_1, ..., r_{m-1}, x_m ... x_n) + // + // eval g over r_m, and mutate g to g(r_1, ... r_m,, x_{m+1}... x_n) let mut flattened_ml_extensions: Vec> = self .poly .flattened_ml_extensions @@ -64,18 +81,16 @@ impl SumCheckProver for IOPProverState { } self.challenges.push(*chal); - // fix argument - let i = self.round; - let r = self.challenges[i - 1]; + let r = self.challenges[self.round - 1]; #[cfg(feature = "parallel")] flattened_ml_extensions .par_iter_mut() - .for_each(|multiplicand| *multiplicand = multiplicand.fix_variables(&[r])); + .for_each(|mle| *mle = mle.fix_variables(&[r])); #[cfg(not(feature = "parallel"))] flattened_ml_extensions .iter_mut() - .for_each(|multiplicand| *multiplicand = multiplicand.fix_variables(&[r])); + .for_each(|mle| *mle = mle.fix_variables(&[r])); } else if self.round > 0 { return Err(PolyIOPErrors::InvalidProver( "verifier message is empty".to_string(), @@ -85,30 +100,22 @@ impl SumCheckProver for IOPProverState { self.round += 1; - if self.round > self.poly.domain_info.num_variables { - return Err(PolyIOPErrors::InvalidProver( - "Prover is not active".to_string(), - )); - } - let products_list = self.poly.products.clone(); - let i = self.round; - let nv = self.poly.domain_info.num_variables; - let degree = self.poly.domain_info.max_degree; // the degree of univariate polynomial sent by prover at this round - - let mut products_sum = Vec::with_capacity(degree + 1); - products_sum.resize(degree + 1, F::zero()); + let mut products_sum = Vec::with_capacity(self.poly.aux_info.max_degree + 1); + products_sum.resize(self.poly.aux_info.max_degree + 1, F::zero()); let compute_sum = start_timer!(|| "compute sum"); - // generate sum + // Step 2: generate sum for the partial evaluated polynomial: + // f(r_1, ... r_m,, x_{m+1}... x_n) + #[cfg(feature = "parallel")] products_sum.par_iter_mut().enumerate().for_each(|(t, e)| { - for b in 0..1 << (nv - i) { + for b in 0..1 << (self.poly.aux_info.num_variables - self.round) { // evaluate P_round(t) for (coefficient, products) in products_list.iter() { - let num_multiplicands = products.len(); + let num_mles = products.len(); let mut product = *coefficient; - for &f in products.iter().take(num_multiplicands) { + for &f in products.iter().take(num_mles) { let table = &flattened_ml_extensions[f]; // f's range is checked in init product *= table[b << 1] * (F::one() - F::from(t as u64)) + table[(b << 1) + 1] * F::from(t as u64); @@ -119,26 +126,23 @@ impl SumCheckProver for IOPProverState { }); #[cfg(not(feature = "parallel"))] - for b in 0..1 << (nv - i) { - products_sum - .iter_mut() - .take(degree + 1) - .enumerate() - .for_each(|(t, e)| { - // evaluate P_round(t) - for (coefficient, products) in products_list.iter() { - let num_multiplicands = products.len(); - let mut product = *coefficient; - for &f in products.iter().take(num_multiplicands) { - let table = &flattened_ml_extensions[f]; // f's range is checked in init - product *= table[b << 1] * (F::one() - F::from(t as u64)) - + table[(b << 1) + 1] * F::from(t as u64); - } - *e += product; + products_sum.iter_mut().enumerate().for_each(|(t, e)| { + for b in 0..1 << (self.poly.aux_info.num_variables - self.round) { + // evaluate P_round(t) + for (coefficient, products) in products_list.iter() { + let num_mles = products.len(); + let mut product = *coefficient; + for &f in products.iter().take(num_mles) { + let table = &flattened_ml_extensions[f]; // f's range is checked in init + product *= table[b << 1] * (F::one() - F::from(t as u64)) + + table[(b << 1) + 1] * F::from(t as u64); } - }); - } + *e += product; + } + } + }); + // update prover's state to the partial evaluated polynomial self.poly.flattened_ml_extensions = flattened_ml_extensions .iter() .map(|x| Rc::new(x.clone())) diff --git a/poly-iop/src/sum_check/verifier.rs b/poly-iop/src/sum_check/verifier.rs index 8a3a4f6..63cd6cb 100644 --- a/poly-iop/src/sum_check/verifier.rs +++ b/poly-iop/src/sum_check/verifier.rs @@ -1,11 +1,11 @@ -// TODO: some of the struct is generic for Sum Checks and Zero Checks. -// If so move them to src/structs.rs +//! Verifier subroutines for a SumCheck protocol. use super::SumCheckVerifier; use crate::{ errors::PolyIOPErrors, - structs::{DomainInfo, IOPProverMessage, IOPVerifierState, SubClaim}, + structs::{IOPProverMessage, IOPVerifierState, SubClaim}, transcript::IOPTranscript, + virtual_poly::VPAuxInfo, }; use ark_ff::PrimeField; use ark_std::{end_timer, start_timer}; @@ -14,14 +14,14 @@ use ark_std::{end_timer, start_timer}; use rayon::iter::{IndexedParallelIterator, IntoParallelIterator, ParallelIterator}; impl SumCheckVerifier for IOPVerifierState { - type DomainInfo = DomainInfo; + type VPAuxInfo = VPAuxInfo; type ProverMessage = IOPProverMessage; type Challenge = F; type Transcript = IOPTranscript; type SubClaim = SubClaim; - /// initialize the verifier - fn verifier_init(index_info: &Self::DomainInfo) -> Self { + /// Initialize the verifier's state. + fn verifier_init(index_info: &Self::VPAuxInfo) -> Self { let start = start_timer!(|| "sum check verifier init"); let res = Self { round: 1, @@ -35,12 +35,12 @@ impl SumCheckVerifier for IOPVerifierState { res } - /// Run verifier at current round, given prover message + /// Run verifier for the current round, given a prover message. /// - /// Normally, this function should perform actual verification. Instead, - /// `verify_round` only samples and stores randomness and perform - /// verifications altogether in `check_and_generate_subclaim` at - /// the last step. + /// Note that `verify_round_and_update_state` only samples and stores + /// challenges; and update the verifier's state accordingly. The actual + /// verifications are deferred (in batch) to `check_and_generate_subclaim` + /// at the last step. fn verify_round_and_update_state( &mut self, prover_msg: &Self::ProverMessage, @@ -55,23 +55,24 @@ impl SumCheckVerifier for IOPVerifierState { )); } - // Now, verifier should check if the received P(0) + P(1) = expected. The check - // is moved to `check_and_generate_subclaim`, and will be done after the - // last round. + // In an interactive protocol, the verifier should + // + // 1. check if the received 'P(0) + P(1) = expected`. + // 2. set `expected` to P(r)` + // + // When we turn the protocol to a non-interactive one, it is sufficient to defer + // such checks to `check_and_generate_subclaim` after the last round. let challenge = transcript.get_and_append_challenge(b"Internal round")?; self.challenges.push(challenge); self.polynomials_received .push(prover_msg.evaluations.to_vec()); - // Now, verifier should set `expected` to P(r). - // This operation is also moved to `check_and_generate_subclaim`, - // and will be done after the last round. - if self.round == self.num_vars { // accept and close self.finished = true; } else { + // proceed to the next round self.round += 1; } @@ -79,10 +80,12 @@ impl SumCheckVerifier for IOPVerifierState { Ok(challenge) } - /// verify the sumcheck phase, and generate the subclaim + /// This function verifies the deferred checks in the interactive version of + /// the protocol; and generate the subclaim. Returns an error if the + /// proof failed to verify. /// /// If the asserted sum is correct, then the multilinear polynomial - /// evaluated at `subclaim.point` is `subclaim.expected_evaluation`. + /// evaluated at `subclaim.point` will be `subclaim.expected_evaluation`. /// Otherwise, it is highly unlikely that those two will be equal. /// Larger field size guarantees smaller soundness error. fn check_and_generate_subclaim( @@ -102,6 +105,8 @@ impl SumCheckVerifier for IOPVerifierState { )); } + // the deferred check during the interactive phase: + // 2. set `expected` to P(r)` #[cfg(feature = "parallel")] let mut expected_vec = self .polynomials_received @@ -137,6 +142,7 @@ impl SumCheckVerifier for IOPVerifierState { interpolate_uni_poly::(&evaluations, challenge) }) .collect::, PolyIOPErrors>>()?; + // insert the asserted_sum to the first position of the expected vector expected_vec.insert(0, *asserted_sum); @@ -146,6 +152,8 @@ impl SumCheckVerifier for IOPVerifierState { .zip(expected_vec.iter()) .take(self.num_vars) { + // the deferred check during the interactive phase: + // 1. check if the received 'P(0) + P(1) = expected`. if evaluations[0] + evaluations[1] != expected { return Err(PolyIOPErrors::InvalidProof( "Prover message is not consistent with the claim.".to_string(), @@ -154,8 +162,9 @@ impl SumCheckVerifier for IOPVerifierState { } end_timer!(start); Ok(SubClaim { - point: self.challenges.to_vec(), - // the last expected value (unchecked) will be included in the subclaim + point: self.challenges.clone(), + // the last expected value (not checked within this function) will be included in the + // subclaim expected_evaluation: expected_vec[self.num_vars], }) } @@ -163,19 +172,20 @@ impl SumCheckVerifier for IOPVerifierState { /// Interpolate a uni-variate degree-`p_i.len()-1` polynomial and evaluate this /// polynomial at `eval_at`: +/// /// \sum_{i=0}^len p_i * (\prod_{j!=i} (eval_at - j)/(i-j) ) +/// /// This implementation is linear in number of inputs in terms of field /// operations. It also has a quadratic term in primitive operations which is /// negligible compared to field operations. -pub(crate) fn interpolate_uni_poly( - p_i: &[F], - eval_at: F, -) -> Result { +fn interpolate_uni_poly(p_i: &[F], eval_at: F) -> Result { let start = start_timer!(|| "sum check interpolate uni poly opt"); let mut res = F::zero(); - // prod = \prod_{j!=i} (eval_at - j) + // compute + // - prod = \prod (eval_at - j) + // - evals = [eval_at - j] let mut evals = vec![]; let len = p_i.len(); let mut prod = eval_at; @@ -188,6 +198,7 @@ pub(crate) fn interpolate_uni_poly( } for i in 0..len { + // res += p_i * prod / (divisor * (eval_at - j)) let divisor = get_divisor(i, len)?; let divisor_f = { if divisor < 0 { diff --git a/poly-iop/src/transcript.rs b/poly-iop/src/transcript.rs index df7d117..d14fb17 100644 --- a/poly-iop/src/transcript.rs +++ b/poly-iop/src/transcript.rs @@ -1,14 +1,24 @@ -use std::marker::PhantomData; +//! Module for PolyIOP transcript. +//! TODO(ZZ): move this module to HyperPlonk where the transcript will also be +//! useful. +//! TODO(ZZ): decide which APIs need to be public. use ark_ff::PrimeField; use merlin::Transcript; +use std::marker::PhantomData; -use crate::{ - errors::PolyIOPErrors, - structs::{DomainInfo, IOPProverMessage}, - to_bytes, -}; +use crate::{errors::PolyIOPErrors, structs::IOPProverMessage, to_bytes, virtual_poly::VPAuxInfo}; +/// An IOP transcript consists of a Merlin transcript and a flag `is_empty` to +/// indicate that if the transcript is empty. +/// +/// It is associated with a prime field `F` for which challenges are generated +/// over. +/// +/// The `is_empty` flag is useful in the case where a protocol is initiated by +/// the verifier, in which case the prover should start its phase by receiving a +/// `non-empty` transcript. +#[derive(Clone)] pub struct IOPTranscript { transcript: Transcript, is_empty: bool, @@ -17,7 +27,7 @@ pub struct IOPTranscript { } impl IOPTranscript { - /// create a new IOP transcript + /// Create a new IOP transcript. pub(crate) fn new(label: &'static [u8]) -> Self { Self { transcript: Transcript::new(label), @@ -26,7 +36,7 @@ impl IOPTranscript { } } - // append the message to the transcript + // Append the message to the transcript. pub fn append_message( &mut self, label: &'static [u8], @@ -37,20 +47,18 @@ impl IOPTranscript { Ok(()) } - pub(crate) fn append_domain_info( - &mut self, - domain_info: &DomainInfo, - ) -> Result<(), PolyIOPErrors> { + // Append the aux information for a virtual polynomial. + pub(crate) fn append_aux_info(&mut self, aux_info: &VPAuxInfo) -> Result<(), PolyIOPErrors> { let message = format!( "max_mul {} num_var {}", - domain_info.max_degree, domain_info.num_variables + aux_info.max_degree, aux_info.num_variables ); self.append_message(b"aux info", message.as_bytes())?; Ok(()) } - // append the message to the transcript + // Append the message to the transcript. pub(crate) fn append_field_element( &mut self, label: &'static [u8], @@ -59,6 +67,7 @@ impl IOPTranscript { self.append_message(label, &to_bytes!(field_elem)?) } + // Append a prover message to the transcript. pub(crate) fn append_prover_message( &mut self, prover_message: &IOPProverMessage, @@ -69,12 +78,16 @@ impl IOPTranscript { Ok(()) } - // generate the challenge for the current transcript - // and append it to the transcript + // Generate the challenge from the current transcript + // and append it to the transcript. + // + // The output field element is statistical uniform as long + // as the field has a size less than 2^384. pub(crate) fn get_and_append_challenge( &mut self, label: &'static [u8], ) -> Result { + // we need to reject when transcript is empty if self.is_empty { return Err(PolyIOPErrors::InvalidTranscript( "transcript is empty".to_string(), @@ -89,14 +102,23 @@ impl IOPTranscript { Ok(challenge) } - // generate a list of challenges for the current transcript - // and append it to the transcript + // Generate a list of challenges from the current transcript + // and append them to the transcript. + // + // The output field element are statistical uniform as long + // as the field has a size less than 2^384. pub(crate) fn get_and_append_challenge_vectors( &mut self, label: &'static [u8], len: usize, ) -> Result, PolyIOPErrors> { // we need to reject when transcript is empty + if self.is_empty { + return Err(PolyIOPErrors::InvalidTranscript( + "transcript is empty".to_string(), + )); + } + let mut res = vec![]; for _ in 0..len { res.push(self.get_and_append_challenge(label)?) diff --git a/poly-iop/src/virtual_poly.rs b/poly-iop/src/virtual_poly.rs index dc27059..49d4297 100644 --- a/poly-iop/src/virtual_poly.rs +++ b/poly-iop/src/virtual_poly.rs @@ -1,4 +1,7 @@ -use crate::{errors::PolyIOPErrors, structs::DomainInfo}; +//! This module defines our main mathematical object `VirtualPolynomial`; and +//! various functions associated with it. + +use crate::errors::PolyIOPErrors; use ark_ff::PrimeField; use ark_poly::{DenseMultilinearExtension, MultilinearExtension}; use ark_std::{ @@ -38,7 +41,7 @@ use std::{cmp::max, collections::HashMap, marker::PhantomData, ops::Add, rc::Rc} #[derive(Clone, Debug, Default, PartialEq)] pub struct VirtualPolynomial { /// Aux information about the multilinear polynomial - pub domain_info: DomainInfo, + pub aux_info: VPAuxInfo, /// list of reference to products (as usize) of multilinear extension pub products: Vec<(F, Vec)>, /// Stores multilinear extensions in which product multiplicand can refer @@ -48,6 +51,18 @@ pub struct VirtualPolynomial { raw_pointers_lookup_table: HashMap<*const DenseMultilinearExtension, usize>, } +#[derive(Clone, Debug, Default, PartialEq)] +/// Auxiliary information about the multilinear polynomial +pub struct VPAuxInfo { + /// max number of multiplicands in each product + pub max_degree: usize, + /// number of variables of the polynomial + pub num_variables: usize, + /// Associated field + #[doc(hidden)] + pub(crate) phantom: PhantomData, +} + impl Add for &VirtualPolynomial { type Output = VirtualPolynomial; fn add(self, other: &VirtualPolynomial) -> Self::Output { @@ -69,10 +84,10 @@ impl Add for &VirtualPolynomial { } impl VirtualPolynomial { - /// Returns an empty polynomial + /// Creates an empty virtual polynomial with `num_variables`. pub fn new(num_variables: usize) -> Self { VirtualPolynomial { - domain_info: DomainInfo { + aux_info: VPAuxInfo { max_degree: 0, num_variables, phantom: PhantomData::default(), @@ -83,27 +98,31 @@ impl VirtualPolynomial { } } - /// Returns an new virtual polynomial from a MLE + /// Creates an new virtual polynomial from a MLE and its coefficient. pub fn new_from_mle(mle: Rc>, coefficient: F) -> Self { let mle_ptr: *const DenseMultilinearExtension = Rc::as_ptr(&mle); let mut hm = HashMap::new(); hm.insert(mle_ptr, 0); VirtualPolynomial { - domain_info: DomainInfo { + aux_info: VPAuxInfo { // The max degree is the max degree of any individual variable max_degree: 1, num_variables: mle.num_vars, phantom: PhantomData::default(), }, + // here `0` points to the first polynomial of `flattened_ml_extensions` products: vec![(coefficient, vec![0])], flattened_ml_extensions: vec![mle], raw_pointers_lookup_table: hm, } } - /// Add a list of multilinear extensions that is meant to be multiplied - /// together. The resulting polynomial will be multiplied by the scalar + /// Add a product of list of multilinear extensions to self + /// Returns an error if the list is empty, or the MLE has a different + /// `num_vars` from self. + /// + /// The MLEs will be multiplied together, and then multiplied by the scalar /// `coefficient`. pub fn add_mle_list( &mut self, @@ -112,13 +131,20 @@ impl VirtualPolynomial { ) -> Result<(), PolyIOPErrors> { let mle_list: Vec>> = mle_list.into_iter().collect(); let mut indexed_product = Vec::with_capacity(mle_list.len()); - assert!(!mle_list.is_empty()); - self.domain_info.max_degree = max(self.domain_info.max_degree, mle_list.len()); + + if mle_list.is_empty() { + return Err(PolyIOPErrors::InvalidParameters( + "input mle_list is empty".to_string(), + )); + } + + self.aux_info.max_degree = max(self.aux_info.max_degree, mle_list.len()); + for mle in mle_list { - if mle.num_vars != self.domain_info.num_variables { + if mle.num_vars != self.aux_info.num_variables { return Err(PolyIOPErrors::InvalidParameters(format!( "product has a multiplicand with wrong number of variables {} vs {}", - mle.num_vars, self.domain_info.num_variables + mle.num_vars, self.aux_info.num_variables ))); } @@ -137,16 +163,26 @@ impl VirtualPolynomial { } /// Multiple the current VirtualPolynomial by an MLE: - /// - add the MLE to the MLE list - /// - multiple each product by MLE and its coefficient + /// - add the MLE to the MLE list; + /// - multiple each product by MLE and its coefficient. + /// Returns an error if the MLE has a different `num_vars` from self. pub fn mul_by_mle( &mut self, mle: Rc>, coefficient: F, ) -> Result<(), PolyIOPErrors> { let start = start_timer!(|| "mul by mle"); + + if mle.num_vars != self.aux_info.num_variables { + return Err(PolyIOPErrors::InvalidParameters(format!( + "product has a multiplicand with wrong number of variables {} vs {}", + mle.num_vars, self.aux_info.num_variables + ))); + } + let mle_ptr: *const DenseMultilinearExtension = Rc::as_ptr(&mle); + // check if this mle already exists in the virtual polynomial let mle_index = match self.raw_pointers_lookup_table.get(&mle_ptr) { Some(&p) => p, None => { @@ -158,22 +194,27 @@ impl VirtualPolynomial { }; for (prod_coef, indices) in self.products.iter_mut() { + // - add the MLE to the MLE list; + // - multiple each product by MLE and its coefficient. indices.push(mle_index); *prod_coef *= coefficient; } - self.domain_info.max_degree += 1; + + // increase the max degree by one as the MLE has degree 1. + self.aux_info.max_degree += 1; end_timer!(start); Ok(()) } - /// Evaluate the polynomial at point `point` + /// Evaluate the virtual polynomial at point `point`. + /// Returns an error is point.len() does not match `num_variables`. pub fn evaluate(&self, point: &[F]) -> Result { let start = start_timer!(|| "evaluation"); - if self.domain_info.num_variables != point.len() { + if self.aux_info.num_variables != point.len() { return Err(PolyIOPErrors::InvalidParameters(format!( "wrong number of variables {} vs {}", - self.domain_info.num_variables, + self.aux_info.num_variables, point.len() ))); } @@ -222,8 +263,8 @@ impl VirtualPolynomial { Ok((poly, sum)) } - /// Sample a random virtual polynomial that evaluates to zero everywhere on - /// the boolean hypercube. + /// Sample a random virtual polynomial that evaluates to zero everywhere + /// over the boolean hypercube. pub fn rand_zero( nv: usize, num_multiplicands_range: (usize, usize), @@ -236,11 +277,36 @@ impl VirtualPolynomial { rng.gen_range(num_multiplicands_range.0..num_multiplicands_range.1); let product = random_zero_mle_list(nv, num_multiplicands, rng); let coefficient = F::rand(rng); - poly.add_mle_list(product.into_iter(), coefficient).unwrap(); + poly.add_mle_list(product.into_iter(), coefficient)?; } Ok(poly) } + + // Input poly f(x) and a random vector r, output + // \hat f(x) = \sum_{x_i \in eval_x} f(x_i) eq(x, r) + // where + // eq(x,y) = \prod_i=1^num_var (x_i * y_i + (1-x_i)*(1-y_i)) + // + // This function is used in ZeroCheck. + pub(crate) fn build_f_hat(&self, r: &[F]) -> Result { + let start = start_timer!(|| "zero check build hat f"); + + if self.aux_info.num_variables != r.len() { + return Err(PolyIOPErrors::InvalidParameters(format!( + "r.len() is different from number of variables: {} vs {}", + r.len(), + self.aux_info.num_variables + ))); + } + + let eq_x_r = build_eq_x_r(r)?; + let mut res = self.clone(); + res.mul_by_mle(eq_x_r, F::one())?; + + end_timer!(start); + Ok(res) + } } /// Sample a random list of multilinear polynomials. @@ -307,6 +373,68 @@ pub fn random_zero_mle_list( list } +// This function build the eq(x, r) polynomial for any given r. +// +// Evaluate +// eq(x,y) = \prod_i=1^num_var (x_i * y_i + (1-x_i)*(1-y_i)) +// over r, which is +// eq(x,y) = \prod_i=1^num_var (x_i * r_i + (1-x_i)*(1-r_i)) +fn build_eq_x_r(r: &[F]) -> Result>, PolyIOPErrors> { + let start = start_timer!(|| "zero check build eq_x_r"); + + // we build eq(x,r) from its evaluations + // we want to evaluate eq(x,r) over x \in {0, 1}^num_vars + // for example, with num_vars = 4, x is a binary vector of 4, then + // 0 0 0 0 -> (1-r0) * (1-r1) * (1-r2) * (1-r3) + // 1 0 0 0 -> r0 * (1-r1) * (1-r2) * (1-r3) + // 0 1 0 0 -> (1-r0) * r1 * (1-r2) * (1-r3) + // 1 1 0 0 -> r0 * r1 * (1-r2) * (1-r3) + // .... + // 1 1 1 1 -> r0 * r1 * r2 * r3 + // we will need 2^num_var evaluations + + let mut eval = Vec::new(); + build_eq_x_r_helper(r, &mut eval)?; + + let mle = DenseMultilinearExtension::from_evaluations_vec(r.len(), eval); + + let res = Rc::new(mle); + end_timer!(start); + Ok(res) +} + +/// A helper function to build eq(x, r) recursively. +/// This function takes `r.len()` steps, and for each step it requires a maximum +/// `r.len()-1` multiplications. +fn build_eq_x_r_helper(r: &[F], buf: &mut Vec) -> Result<(), PolyIOPErrors> { + if r.is_empty() { + return Err(PolyIOPErrors::InvalidParameters( + "r length is 0".to_string(), + )); + } else if r.len() == 1 { + // initializing the buffer with [1-r_0, r_0] + buf.push(F::one() - r[0]); + buf.push(r[0]); + } else { + build_eq_x_r_helper(&r[1..], buf)?; + + // suppose at the previous step we received [b_1, ..., b_k] + // for the current step we will need + // if x_0 = 0: (1-r0) * [b_1, ..., b_k] + // if x_0 = 1: r0 * [b_1, ..., b_k] + + let mut res = vec![]; + for &b_i in buf.iter() { + let tmp = r[0] * b_i; + res.push(b_i - tmp); + res.push(tmp); + } + *buf = res; + } + + Ok(()) +} + #[cfg(test)] pub(crate) mod test { use super::*; @@ -364,4 +492,70 @@ pub(crate) mod test { Ok(()) } + + #[test] + fn test_eq_xr() { + let mut rng = test_rng(); + for nv in 4..10 { + let r: Vec = (0..nv).map(|_| Fr::rand(&mut rng)).collect(); + let eq_x_r = build_eq_x_r(r.as_ref()).unwrap(); + let eq_x_r2 = build_eq_x_r_for_test(r.as_ref()); + assert_eq!(eq_x_r, eq_x_r2); + } + } + + /// Naive method to build eq(x, r). + /// Only used for testing purpose. + // Evaluate + // eq(x,y) = \prod_i=1^num_var (x_i * y_i + (1-x_i)*(1-y_i)) + // over r, which is + // eq(x,y) = \prod_i=1^num_var (x_i * r_i + (1-x_i)*(1-r_i)) + fn build_eq_x_r_for_test(r: &[F]) -> Rc> { + let start = start_timer!(|| "zero check naive build eq_x_r"); + + // we build eq(x,r) from its evaluations + // we want to evaluate eq(x,r) over x \in {0, 1}^num_vars + // for example, with num_vars = 4, x is a binary vector of 4, then + // 0 0 0 0 -> (1-r0) * (1-r1) * (1-r2) * (1-r3) + // 1 0 0 0 -> r0 * (1-r1) * (1-r2) * (1-r3) + // 0 1 0 0 -> (1-r0) * r1 * (1-r2) * (1-r3) + // 1 1 0 0 -> r0 * r1 * (1-r2) * (1-r3) + // .... + // 1 1 1 1 -> r0 * r1 * r2 * r3 + // we will need 2^num_var evaluations + + // First, we build array for {1 - r_i} + let one_minus_r: Vec = r.iter().map(|ri| F::one() - ri).collect(); + + let num_var = r.len(); + let mut eval = vec![]; + + for i in 0..1 << num_var { + let mut current_eval = F::one(); + let bit_sequence = bit_decompose(i, num_var); + + for (&bit, (ri, one_minus_ri)) in + bit_sequence.iter().zip(r.iter().zip(one_minus_r.iter())) + { + current_eval *= if bit { *ri } else { *one_minus_ri }; + } + eval.push(current_eval); + } + + let mle = DenseMultilinearExtension::from_evaluations_vec(num_var, eval); + + let res = Rc::new(mle); + end_timer!(start); + res + } + + fn bit_decompose(input: u64, num_var: usize) -> Vec { + let mut res = Vec::with_capacity(num_var); + let mut i = input; + for _ in 0..num_var { + res.push(i & 1 == 1); + i >>= 1; + } + res + } } diff --git a/poly-iop/src/zero_check/mod.rs b/poly-iop/src/zero_check/mod.rs index adb9d92..0de5c60 100644 --- a/poly-iop/src/zero_check/mod.rs +++ b/poly-iop/src/zero_check/mod.rs @@ -1,21 +1,20 @@ -use ark_ff::PrimeField; -use ark_poly::DenseMultilinearExtension; -use ark_std::{end_timer, start_timer}; -use std::rc::Rc; +//! Main module for the ZeroCheck protocol. use crate::{ errors::PolyIOPErrors, - structs::{DomainInfo, IOPProof, SubClaim}, + structs::{IOPProof, SubClaim}, sum_check::SumCheck, transcript::IOPTranscript, - virtual_poly::VirtualPolynomial, + virtual_poly::{VPAuxInfo, VirtualPolynomial}, PolyIOP, }; +use ark_ff::PrimeField; +use ark_std::{end_timer, start_timer}; pub trait ZeroCheck { type Proof; - type PolyList; - type DomainInfo; + type VirtualPolynomial; + type VPAuxInfo; type SubClaim; type Transcript; @@ -30,22 +29,22 @@ pub trait ZeroCheck { /// initialize the prover to argue for the sum of polynomial over /// {0,1}^`num_vars` is zero. fn prove( - poly: &Self::PolyList, + poly: &Self::VirtualPolynomial, transcript: &mut Self::Transcript, ) -> Result; /// verify the claimed sum using the proof fn verify( proof: &Self::Proof, - domain_info: &Self::DomainInfo, + aux_info: &Self::VPAuxInfo, transcript: &mut Self::Transcript, ) -> Result; } impl ZeroCheck for PolyIOP { type Proof = IOPProof; - type PolyList = VirtualPolynomial; - type DomainInfo = DomainInfo; + type VirtualPolynomial = VirtualPolynomial; + type VPAuxInfo = VPAuxInfo; /// A ZeroCheck SubClaim consists of /// - the SubClaim from the ZeroCheck @@ -63,29 +62,41 @@ impl ZeroCheck for PolyIOP { IOPTranscript::::new(b"Initializing ZeroCheck transcript") } - /// initialize the prover to argue for the sum of polynomial over + /// Initialize the prover to argue for the sum of polynomial f(x) over /// {0,1}^`num_vars` is zero. + /// + /// f(x) is zero if \hat f(x) := f(x) * eq(x,r) is also a zero polynomial + /// for a random r sampled from transcript. + /// + /// This function will build the \hat f(x) and then invoke the sumcheck + /// protocol to generate a proof for which the sum of \hat f(x) is zero fn prove( - poly: &Self::PolyList, + poly: &Self::VirtualPolynomial, transcript: &mut Self::Transcript, ) -> Result { let start = start_timer!(|| "zero check prove"); - let length = poly.domain_info.num_variables; + let length = poly.aux_info.num_variables; let r = transcript.get_and_append_challenge_vectors(b"vector r", length)?; - let f_hat = build_f_hat(poly, r.as_ref())?; + let f_hat = poly.build_f_hat(r.as_ref())?; let res = >::prove(&f_hat, transcript); end_timer!(start); res } - /// Verify the claimed sum using the proof. - /// the initial challenge `r` is also returned. - /// The caller needs to makes sure that `\hat f = f * eq(x, r)` + /// Verify that the polynomial's sum is zero using the proof. + /// Return a Self::Subclaim that consists of the + /// + /// - a Subclaim that the sum is zero + /// - the initial challenge `r` that is used to build `eq(x, r)` + /// + /// This function will check that \hat f(x)'s sum is zero. It does not check + /// `\hat f(x)` is build correctly. The caller needs to makes sure that + /// `\hat f(x) = f(x) * eq(x, r)` fn verify( proof: &Self::Proof, - fx_domain_info: &Self::DomainInfo, + fx_aux_info: &Self::VPAuxInfo, transcript: &mut Self::Transcript, ) -> Result { let start = start_timer!(|| "zero check verify"); @@ -99,112 +110,27 @@ impl ZeroCheck for PolyIOP { } // generate `r` and pass it to the caller for correctness check - let length = fx_domain_info.num_variables; + let length = fx_aux_info.num_variables; let r = transcript.get_and_append_challenge_vectors(b"vector r", length)?; // hat_fx's max degree is increased by eq(x, r).degree() which is 1 - let mut hat_fx_domain_info = fx_domain_info.clone(); - hat_fx_domain_info.max_degree += 1; + let mut hat_fx_aux_info = fx_aux_info.clone(); + hat_fx_aux_info.max_degree += 1; let subclaim = - >::verify(F::zero(), proof, &hat_fx_domain_info, transcript)?; + >::verify(F::zero(), proof, &hat_fx_aux_info, transcript)?; end_timer!(start); Ok((subclaim, r)) } } -// Input poly f(x) and a random vector r, output -// \hat f(x) = \sum_{x_i \in eval_x} f(x_i) eq(x, r) -// where -// eq(x,y) = \prod_i=1^num_var (x_i * y_i + (1-x_i)*(1-y_i)) -fn build_f_hat( - poly: &VirtualPolynomial, - r: &[F], -) -> Result, PolyIOPErrors> { - let start = start_timer!(|| "zero check build hat f"); - - assert_eq!(poly.domain_info.num_variables, r.len()); - - let eq_x_r = build_eq_x_r(r)?; - let mut res = poly.clone(); - res.mul_by_mle(eq_x_r, F::one())?; - - end_timer!(start); - Ok(res) -} - -// Evaluate -// eq(x,y) = \prod_i=1^num_var (x_i * y_i + (1-x_i)*(1-y_i)) -// over r, which is -// eq(x,y) = \prod_i=1^num_var (x_i * r_i + (1-x_i)*(1-r_i)) -pub fn build_eq_x_r( - r: &[F], -) -> Result>, PolyIOPErrors> { - let start = start_timer!(|| "zero check build eq_x_r"); - - // we build eq(x,r) from its evaluations - // we want to evaluate eq(x,r) over x \in {0, 1}^num_vars - // for example, with num_vars = 4, x is a binary vector of 4, then - // 0 0 0 0 -> (1-r0) * (1-r1) * (1-r2) * (1-r3) - // 1 0 0 0 -> r0 * (1-r1) * (1-r2) * (1-r3) - // 0 1 0 0 -> (1-r0) * r1 * (1-r2) * (1-r3) - // 1 1 0 0 -> r0 * r1 * (1-r2) * (1-r3) - // .... - // 1 1 1 1 -> r0 * r1 * r2 * r3 - // we will need 2^num_var evaluations - - let mut eval = Vec::new(); - build_eq_x_r_helper(r, &mut eval)?; - - let mle = DenseMultilinearExtension::from_evaluations_vec(r.len(), eval); - - let res = Rc::new(mle); - end_timer!(start); - Ok(res) -} - -/// A helper function to build eq(x, r) recursively. -/// This function takes `r.len()` steps, and for each step it requires a maximum -/// `r.len()-1` multiplications. -fn build_eq_x_r_helper(r: &[F], buf: &mut Vec) -> Result<(), PolyIOPErrors> { - if r.is_empty() { - return Err(PolyIOPErrors::InvalidParameters( - "r length is 0".to_string(), - )); - } else if r.len() == 1 { - // initializing the buffer with [1-r0, r0] - buf.push(F::one() - r[0]); - buf.push(r[0]); - } else { - build_eq_x_r_helper(&r[1..], buf)?; - - // suppose in the previous step we have [b1, ..., b_k] - // for the current step we will need - // if x0 = 0: (1-r0) * [b_1, ..., b_k] - // if x0 = 1: r0 * [b1, ..., b_k] - - let mut res = vec![]; - for &e in buf.iter() { - let tmp = e * r[0]; - res.push(e - tmp); - res.push(tmp); - } - *buf = res; - } - - Ok(()) -} - #[cfg(test)] mod test { - use super::{build_eq_x_r, ZeroCheck}; + use super::ZeroCheck; use crate::{errors::PolyIOPErrors, PolyIOP, VirtualPolynomial}; use ark_bls12_381::Fr; - use ark_ff::{PrimeField, UniformRand}; - use ark_poly::DenseMultilinearExtension; - use ark_std::{end_timer, start_timer, test_rng}; - use std::rc::Rc; + use ark_std::test_rng; fn test_zerocheck( nv: usize, @@ -222,7 +148,7 @@ mod test { transcript.append_message(b"testing", b"initializing transcript for testing")?; let proof = as ZeroCheck>::prove(&poly, &mut transcript)?; - let poly_info = poly.domain_info.clone(); + let poly_info = poly.aux_info.clone(); let mut transcript = as ZeroCheck>::init_transcript(); transcript.append_message(b"testing", b"initializing transcript for testing")?; let subclaim = @@ -242,7 +168,7 @@ mod test { transcript.append_message(b"testing", b"initializing transcript for testing")?; let proof = as ZeroCheck>::prove(&poly, &mut transcript)?; - let poly_info = poly.domain_info.clone(); + let poly_info = poly.aux_info.clone(); let mut transcript = as ZeroCheck>::init_transcript(); transcript.append_message(b"testing", b"initializing transcript for testing")?; @@ -281,70 +207,4 @@ mod test { assert!(test_zerocheck(nv, num_multiplicands_range, num_products).is_err()); Ok(()) } - - #[test] - fn test_eq_xr() { - let mut rng = test_rng(); - for nv in 4..10 { - let r: Vec = (0..nv).map(|_| Fr::rand(&mut rng)).collect(); - let eq_x_r = build_eq_x_r(r.as_ref()).unwrap(); - let eq_x_r2 = build_eq_x_r_for_test(r.as_ref()); - assert_eq!(eq_x_r, eq_x_r2); - } - } - - /// Naive method to build eq(x, r). - /// Only used for testing purpose. - // Evaluate - // eq(x,y) = \prod_i=1^num_var (x_i * y_i + (1-x_i)*(1-y_i)) - // over r, which is - // eq(x,y) = \prod_i=1^num_var (x_i * r_i + (1-x_i)*(1-r_i)) - fn build_eq_x_r_for_test(r: &[F]) -> Rc> { - let start = start_timer!(|| "zero check naive build eq_x_r"); - - // we build eq(x,r) from its evaluations - // we want to evaluate eq(x,r) over x \in {0, 1}^num_vars - // for example, with num_vars = 4, x is a binary vector of 4, then - // 0 0 0 0 -> (1-r0) * (1-r1) * (1-r2) * (1-r3) - // 1 0 0 0 -> r0 * (1-r1) * (1-r2) * (1-r3) - // 0 1 0 0 -> (1-r0) * r1 * (1-r2) * (1-r3) - // 1 1 0 0 -> r0 * r1 * (1-r2) * (1-r3) - // .... - // 1 1 1 1 -> r0 * r1 * r2 * r3 - // we will need 2^num_var evaluations - - // First, we build array for {1 - r_i} - let one_minus_r: Vec = r.iter().map(|ri| F::one() - ri).collect(); - - let num_var = r.len(); - let mut eval = vec![]; - - for i in 0..1 << num_var { - let mut current_eval = F::one(); - let bit_sequence = bit_decompose(i, num_var); - - for (&bit, (ri, one_minus_ri)) in - bit_sequence.iter().zip(r.iter().zip(one_minus_r.iter())) - { - current_eval *= if bit { *ri } else { *one_minus_ri }; - } - eval.push(current_eval); - } - - let mle = DenseMultilinearExtension::from_evaluations_vec(num_var, eval); - - let res = Rc::new(mle); - end_timer!(start); - res - } - - fn bit_decompose(input: u64, num_var: usize) -> Vec { - let mut res = Vec::with_capacity(num_var); - let mut i = input; - for _ in 0..num_var { - res.push(i & 1 == 1); - i >>= 1; - } - res - } }