From 590512de0c2546ffa5a7e142201fb3d6998037e2 Mon Sep 17 00:00:00 2001 From: arnaucube Date: Sun, 23 Apr 2023 23:11:18 +0200 Subject: [PATCH] sumcheck use transcript, reorganize some files --- src/{novacircuit.rs => circuits.rs} | 3 +- src/lib.rs | 4 +- src/nifs.rs | 16 ++++-- src/pedersen.rs | 12 ++--- src/r1cs.rs | 34 ------------- src/sumcheck.rs | 75 +++++++++++++++++++++-------- src/transcript.rs | 2 + 7 files changed, 78 insertions(+), 68 deletions(-) rename src/{novacircuit.rs => circuits.rs} (96%) delete mode 100644 src/r1cs.rs diff --git a/src/novacircuit.rs b/src/circuits.rs similarity index 96% rename from src/novacircuit.rs rename to src/circuits.rs index 9e64004..69b77df 100644 --- a/src/novacircuit.rs +++ b/src/circuits.rs @@ -1,4 +1,5 @@ use ark_crypto_primitives::snark::{FromFieldElementsGadget, SNARKGadget, SNARK}; +use ark_ec::AffineRepr; use ark_ec::CurveGroup; use ark_ff::{fields::Fp256, Field, PrimeField}; use ark_r1cs_std::{ @@ -42,8 +43,6 @@ impl, Cfg: Co { fn generate_constraints(self, cs: ConstraintSystemRef) -> Result<(), SynthesisError> { unimplemented!(); - // nifscircuit::NIFSGadget::>::verify(); - // hash } } diff --git a/src/lib.rs b/src/lib.rs index 3e823b7..8c476bd 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -3,9 +3,9 @@ #![allow(non_upper_case_globals)] #![allow(unused)] // TMP +mod circuits; mod nifs; -mod novacircuit; mod pedersen; -mod r1cs; +mod sumcheck; mod transcript; mod utils; diff --git a/src/nifs.rs b/src/nifs.rs index 1f71683..d086f44 100644 --- a/src/nifs.rs +++ b/src/nifs.rs @@ -1,15 +1,21 @@ use ark_ec::AffineRepr; +use ark_ff::fields::PrimeField; +use ark_std::{ + rand::{Rng, RngCore}, + UniformRand, +}; use ark_std::{One, Zero}; use std::marker::PhantomData; use crate::pedersen::{Commitment, Params as PedersenParams, Pedersen, Proof as PedersenProof}; -use crate::r1cs::*; use crate::transcript::Transcript; use crate::utils::*; -use ark_std::{ - rand::{Rng, RngCore}, - UniformRand, -}; + +pub struct R1CS { + pub A: Vec>, + pub B: Vec>, + pub C: Vec>, +} // Phi: φ in the paper (later 𝖴), a folded instance pub struct Phi { diff --git a/src/pedersen.rs b/src/pedersen.rs index 58afaf8..0228001 100644 --- a/src/pedersen.rs +++ b/src/pedersen.rs @@ -22,7 +22,7 @@ pub struct Proof { pub struct Params { g: C, h: C, - pub r_vec: Vec, + pub generators: Vec, } pub struct Pedersen { @@ -33,11 +33,11 @@ impl Pedersen { pub fn new_params(rng: &mut R, max: usize) -> Params { let h_scalar = C::ScalarField::rand(rng); let g: C = C::generator(); - let r_vec: Vec = vec![C::rand(rng); max]; + let generators: Vec = vec![C::rand(rng); max]; let params: Params = Params:: { g, h: g.mul(h_scalar).into(), - r_vec, // will need 2 r: rE, rW + generators, }; params } @@ -56,7 +56,7 @@ impl Pedersen { v: &Vec, r: &C::ScalarField, // random value is provided, in order to be choosen by other parts of the protocol ) -> Commitment { - let cm = params.h.mul(r) + naive_msm(v, ¶ms.r_vec); + let cm = params.h.mul(r) + naive_msm(v, ¶ms.generators); Commitment::(cm.into()) } @@ -91,7 +91,7 @@ impl Pedersen { let r1 = transcript.get_challenge(b"r_1"); let d = transcript.get_challenge_vec(b"d", v.len()); - let R: C = (params.h.mul(r1) + naive_msm(&d, ¶ms.r_vec)).into(); + let R: C = (params.h.mul(r1) + naive_msm(&d, ¶ms.generators)).into(); transcript.add(b"cm", &cm.0); transcript.add(b"R", &R); @@ -116,7 +116,7 @@ impl Pedersen { transcript.add(b"R", &proof.R); let e = transcript.get_challenge(b"e"); let lhs = proof.R + cm.0.mul(e); - let rhs = params.h.mul(proof.ru_) + naive_msm(&proof.u_, ¶ms.r_vec); + let rhs = params.h.mul(proof.ru_) + naive_msm(&proof.u_, ¶ms.generators); if lhs != rhs { return false; } diff --git a/src/r1cs.rs b/src/r1cs.rs deleted file mode 100644 index 0885c32..0000000 --- a/src/r1cs.rs +++ /dev/null @@ -1,34 +0,0 @@ -use crate::pedersen; - -use ark_ff::fields::PrimeField; -use core::ops::Add; - -// this file contains an abstraction of R1CS struct, to later be plugged from arkworks -// ConstraintSystem or something similar. - -pub struct R1CS { - pub A: Vec>, - pub B: Vec>, - pub C: Vec>, -} - -pub struct RelaxedR1CS { - pub ABC: R1CS, - pub u: F, - pub E: F, -} - -impl R1CS { - pub fn relax(self) -> RelaxedR1CS { - RelaxedR1CS:: { - ABC: self, - u: F::one(), - E: F::zero(), - } - } -} -impl RelaxedR1CS { - pub fn fold(self, other: Self, r: F) -> Self { - unimplemented!(); - } -} diff --git a/src/sumcheck.rs b/src/sumcheck.rs index 6dd1668..43eb9a2 100644 --- a/src/sumcheck.rs +++ b/src/sumcheck.rs @@ -1,5 +1,5 @@ // Sum-check protocol initial implementation, not used by the rest of the repo but implemented as -// an exercise and might be used in the future. +// an exercise and it will probably be used in the future. use ark_ff::{BigInteger, PrimeField}; use ark_poly::{ @@ -14,6 +14,8 @@ use ark_std::marker::PhantomData; use ark_std::ops::Mul; use ark_std::{rand::Rng, UniformRand}; +use crate::transcript::Transcript; + pub struct SumCheck< F: PrimeField, UV: Polynomial + DenseUVPolynomial, @@ -81,10 +83,8 @@ impl< fn point_complete(challenges: Vec, n_elems: usize, iter_num: usize) -> Vec { let p = Self::point(challenges, false, n_elems, iter_num); - // let mut r = Vec::new(); let mut r = vec![F::zero(); n_elems]; for i in 0..n_elems { - // r.push(p[i].unwrap()); r[i] = p[i].unwrap(); } r @@ -96,7 +96,7 @@ impl< if none { // WIP if n_vars == 0 { - panic!("err"); + panic!("err"); // or return directly challenges vector } n_vars -= 1; } @@ -125,9 +125,10 @@ impl< where >::Point: From>, { - let v = g.num_vars(); + // init transcript + let mut transcript: Transcript = Transcript::::new(); - let r = vec![F::from(2_u32), F::from(3_u32), F::from(6_u32)]; // TMP will come from transcript + let v = g.num_vars(); // compute H let mut H = F::zero(); @@ -136,43 +137,56 @@ impl< H = H + g.evaluate(&p.into()); } + transcript.add(b"H", &H); let mut ss: Vec = Vec::new(); + let mut r: Vec = vec![]; for i in 0..v { + let r_i = transcript.get_challenge(b"r_i"); + r.push(r_i); + let var_slots = v - 1 - i; let n_points = 2_u64.pow(var_slots as u32) as usize; + let mut s_i = UV::zero(); - let r_round = r.as_slice()[..i].to_vec(); for j in 0..n_points { - let point = Self::point(r_round.clone(), true, v, j); + let point = Self::point(r[..i].to_vec(), true, v, j); s_i = s_i + Self::partial_evaluate(&g, &point); } + transcript.add(b"s_i", &s_i); ss.push(s_i); } - let point_last = r; - let last_g_eval = g.evaluate(&point_last.into()); + let last_g_eval = g.evaluate(&r.into()); (H, ss, last_g_eval) } pub fn verify(proof: (F, Vec, F)) -> bool { - // let c: F, ss: Vec; - let (c, ss, last_g_eval) = proof; + // init transcript + let mut transcript: Transcript = Transcript::::new(); + transcript.add(b"H", &proof.0); - let r = vec![F::from(2_u32), F::from(3_u32), F::from(6_u32)]; // TMP will come from transcript + let (c, ss, last_g_eval) = proof; + let mut r: Vec = vec![]; for (i, s) in ss.iter().enumerate() { // TODO check degree if i == 0 { if c != s.evaluate(&F::zero()) + s.evaluate(&F::one()) { return false; } + let r_i = transcript.get_challenge(b"r_i"); + r.push(r_i); + transcript.add(b"s_i", s); continue; } + let r_i = transcript.get_challenge(b"r_i"); + r.push(r_i); if ss[i - 1].evaluate(&r[i - 1]) != s.evaluate(&F::zero()) + s.evaluate(&F::one()) { return false; } + transcript.add(b"s_i", s); } // last round if ss[ss.len() - 1].evaluate(&r[r.len() - 1]) != last_g_eval { @@ -264,9 +278,6 @@ mod tests { #[test] fn test_flow_hardcoded_values() { let mut rng = ark_std::test_rng(); - // let p = SparsePolynomial::::rand(deg, 3, &mut rng); - // let p = rand_poly(3, 3, &mut rng); - // g(X_0, X_1, X_2) = 2 X_0^3 + X_0 X_2 + X_1 X_2 let terms = vec![ (Fr::from(2u32), SparseTerm::new(vec![(0_usize, 3)])), @@ -286,17 +297,43 @@ mod tests { let proof = SC::prove(p); assert_eq!(proof.0, Fr::from(12_u32)); - println!("proof {:?}", proof); + // println!("proof {:?}", proof); let v = SC::verify(proof); assert!(v); } + fn rand_poly(l: usize, d: usize, rng: &mut R) -> SparsePolynomial { + // This method is from the arkworks/algebra/poly/multivariate test: + // https://github.com/arkworks-rs/algebra/blob/bc991d44c5e579025b7ed56df3d30267a7b9acac/poly/src/polynomial/multivariate/sparse.rs#L303 + let mut random_terms = Vec::new(); + let num_terms = rng.gen_range(1..1000); + // For each term, randomly select up to `l` variables with degree + // in [1,d] and random coefficient + random_terms.push((Fr::rand(rng), SparseTerm::new(vec![]))); + for _ in 1..num_terms { + let term = (0..l) + .map(|i| { + if rng.gen_bool(0.5) { + Some((i, rng.gen_range(1..(d + 1)))) + } else { + None + } + }) + .flatten() + .collect(); + let coeff = Fr::rand(rng); + random_terms.push((coeff, SparseTerm::new(term))); + } + SparsePolynomial::from_coefficients_slice(l, &random_terms) + } + #[test] fn test_flow_rng() { let mut rng = ark_std::test_rng(); - let p = SparsePolynomial::::rand(3, 3, &mut rng); - println!("p {:?}", p); + // let p = SparsePolynomial::::rand(3, 3, &mut rng); + let p = rand_poly(3, 3, &mut rng); + // println!("p {:?}", p); type SC = SumCheck, SparsePolynomial>; diff --git a/src/transcript.rs b/src/transcript.rs index 94b444b..3d56ba7 100644 --- a/src/transcript.rs +++ b/src/transcript.rs @@ -3,6 +3,8 @@ use ark_serialize::CanonicalSerialize; use merlin::Transcript as MerlinTranscript; use std::marker::PhantomData; +// TODO poseidon transcript (not keccak) + // This Transcript approach is a modified version from https://github.com/arkworks-rs/gemini , // using Merlin transcript (https://merlin.cool). pub struct Transcript {