From ab2b04740225eb1e11cdf69632527bf993c558d9 Mon Sep 17 00:00:00 2001 From: arnaucube Date: Wed, 19 Apr 2023 16:18:41 +0200 Subject: [PATCH] folding witness & crossterms works, add Ve helpers --- README.md | 2 +- src/nifs.rs | 106 +++++++++++++++++++++++++++++++++++++-------------- src/utils.rs | 67 ++++++++++++++++++++++++++------ 3 files changed, 133 insertions(+), 42 deletions(-) diff --git a/README.md b/README.md index baf7857..afdf6ac 100644 --- a/README.md +++ b/README.md @@ -4,6 +4,6 @@ Implementation of [Nova](https://eprint.iacr.org/2021/370.pdf) using [arkworks-r > Warning: Implementation from scratch to learn the internals of Nova. Do not use in production. -This repo is an ongoing implementation, the code will be dirty for a while and not optimized and not to be used but just to understand and experiment with the internals of the scheme and try experimental combinations. +This repo is an ongoing implementation, the code will be dirty for a while and not optimized but just to understand and experiment with the internals of the scheme and try experimental combinations. Thanks to [levs57](https://twitter.com/levs57) for clarifications on the Nova folding. diff --git a/src/nifs.rs b/src/nifs.rs index fd8f9a3..893958a 100644 --- a/src/nifs.rs +++ b/src/nifs.rs @@ -1,17 +1,24 @@ use ark_ec::AffineRepr; use ark_std::ops::Add; +use ark_std::One; use std::marker::PhantomData; -use crate::pedersen::{Commitment, CommitmentVec}; +use crate::pedersen::{Commitment, CommitmentVec, Params as PedersenParams, Pedersen}; use crate::r1cs::*; use crate::transcript::Transcript; use crate::utils::*; +use ark_std::{ + rand::{Rng, RngCore}, + UniformRand, +}; // Phi: φ in the paper (later 𝖴), a folded instance pub struct Phi { - cmE: Commitment, // TODO not Commitment but directly C (without rE) + // cmE: CommitmentVec, // TODO not Commitment but directly C (without rE) + cmE: C, u: C::ScalarField, - cmW: Commitment, // TODO not Commitment but directly C (without rW) + // cmW: CommitmentVec, // TODO not Commitment but directly C (without rW) + cmW: C, x: Vec, } @@ -24,8 +31,21 @@ pub struct FWit { } impl FWit { - pub fn commit(&self) -> Phi { - unimplemented!(); + pub fn commit( + &self, + rng: &mut R, + params: &PedersenParams, + x: Vec, + ) -> Phi { + // TODO instead of rand r, use self.rE and self.rW for the commit_vec + let cmE = Pedersen::commit_vec(rng, ¶ms, &self.E); + let cmW = Pedersen::commit_vec(rng, ¶ms, &self.W); + Phi { + cmE: cmE.cm, + u: C::ScalarField::one(), + cmW: cmW.cm, + x, + } } } @@ -46,17 +66,19 @@ impl NIFS { // this is parallelizable (for the future) let Az1 = matrix_vector_product(&A, &z1); let Bz1 = matrix_vector_product(&B, &z1); - let Az1_Bz1 = hadamard_product(Az1, Bz1); + let Cz1 = matrix_vector_product(&C, &z1); let Az2 = matrix_vector_product(&A, &z2); let Bz2 = matrix_vector_product(&B, &z2); - let Az2_Bz2 = hadamard_product(Az2, Bz2); let Cz2 = matrix_vector_product(&C, &z2); - let Cz1 = matrix_vector_product(&C, &z1); + + let Az1_Bz2 = hadamard_product(Az1, Bz2); + let Az2_Bz1 = hadamard_product(Az2, Bz1); let u1Cz2 = vector_elem_product(&Cz2, &cs1.u); let u2Cz1 = vector_elem_product(&Cz1, &cs2.u); - // this will get simplifyied with future operators from Add trait - let T = vec_sub(vec_sub(vec_add(Az1_Bz1, Az2_Bz2), u1Cz2), u2Cz1); - T + + // let T = vec_sub(vec_sub(vec_add(Az1_Bz2, Az2_Bz1), u1Cz2), u2Cz1); + let T = ((Ve(Az1_Bz2) + Ve(Az2_Bz1)) - Ve(u1Cz2)) - Ve(u2Cz1); + T.0 } pub fn fold_witness( @@ -67,12 +89,15 @@ impl NIFS { ) -> FWit { let r2 = r * r; let E: Vec = vec_add( - // TODO this syntax will be simplified with future operators impl + // this syntax will be simplified with future operators impl (or at least a method + // for r-lin) vec_add(fw1.E.clone(), vector_elem_product(&T, &r)), + // rlin(fw1.E.clone(), T, r), vector_elem_product(&fw2.E, &r2), ); - let rE = fw1.rE + r * fw2.rE; + let rE = fw1.rE + r2 * fw2.rE; // TODO rT let W = vec_add(fw1.W.clone(), vector_elem_product(&fw2.W, &r)); + // let W = rlin(fw1.W.clone(), fw2.W.clone(), r); let rW = fw1.rW + r * fw2.rW; FWit:: { E: E.into(), @@ -90,21 +115,24 @@ impl NIFS { ) -> Phi { let r2 = r * r; - let cmE = phi1.cmE.cm + cmT.cm.mul(r) + phi2.cmE.cm.mul(r2); + let cmE = phi1.cmE + cmT.cm.mul(r) + phi2.cmE.mul(r2); let u = phi1.u + r * phi2.u; - let cmW = phi1.cmW.cm + phi2.cmW.cm.mul(r); + let cmW = phi1.cmW + phi2.cmW.mul(r); let x = vec_add(phi1.x, vector_elem_product(&phi2.x, &r)); + // let x = rlin(phi1.x, phi2.x, r); Phi:: { - cmE: Commitment:: { - cm: cmE.into(), - r: phi1.cmE.r, - }, + // cmE: Commitment:: { + // cm: cmE.into(), + // r: phi1.cmE.r, + // }, + cmE: cmE.into(), u, - cmW: Commitment:: { - cm: cmW.into(), - r: phi1.cmW.r, - }, + // cmW: Commitment:: { + // cm: cmW.into(), + // r: phi1.cmW.r, + // }, + cmW: cmW.into(), x, } } @@ -127,7 +155,8 @@ mod tests { fn test_simple_folding() { let mut rng = ark_std::test_rng(); - // R1CS for: x^3 + x + 5 = y + // R1CS for: x^3 + x + 5 = y (example from article + // https://www.vitalik.ca/general/2016/12/10/qap.html ) let A = to_F_matrix::(vec![ vec![0, 1, 0, 0, 0, 0], vec![0, 0, 0, 1, 0, 0], @@ -147,7 +176,9 @@ mod tests { vec![0, 0, 1, 0, 0, 0], ]); let z1 = to_F_vec::(vec![1, 3, 35, 9, 27, 30]); + let x1 = to_F_vec::(vec![35]); let z2 = to_F_vec::(vec![1, 4, 73, 16, 64, 68]); + let x2 = to_F_vec::(vec![73]); let relaxed_r1cs_1 = R1CS:: { A: A.clone(), @@ -155,7 +186,12 @@ mod tests { C: C.clone(), } .relax(); - let relaxed_r1cs_2 = R1CS:: { A, B, C }.relax(); + let relaxed_r1cs_2 = R1CS:: { + A: A.clone(), + B: B.clone(), + C: C.clone(), + } + .relax(); let T = NIFS::::comp_T(relaxed_r1cs_1, relaxed_r1cs_2, &z1, &z2); let params = Pedersen::::new_params(&mut rng); @@ -179,11 +215,23 @@ mod tests { // fold witness let folded_witness = NIFS::::fold_witness(r, &fw1, &fw2, T); - let phi1 = fw1.commit(); // <- unimplemented - let phi2 = fw2.commit(); + + let pedersen_params = Pedersen::::new_params(&mut rng); + let phi1 = fw1.commit(&mut rng, &pedersen_params, x1); // wip + let phi2 = fw2.commit(&mut rng, &pedersen_params, x2); // fold instance let folded_instance = NIFS::::fold_instance(r, phi1, phi2, cmT); - // naive check r1cs of the folded witness - // assert_eq!(hadamard_product(Az, Bz), vec_add(vector_elem_product(Cz, u), E)); + + // naive check that the folded witness satisfies the relaxed r1cs + let Az = matrix_vector_product(&A, &folded_witness.W); + let Bz = matrix_vector_product(&B, &folded_witness.W); + let Cz = matrix_vector_product(&C, &folded_witness.W); + assert_eq!( + hadamard_product(Az, Bz), + vec_add( + vector_elem_product(&Cz, &folded_instance.u), + folded_witness.E + ) + ); } } diff --git a/src/utils.rs b/src/utils.rs index 903fe27..4618150 100644 --- a/src/utils.rs +++ b/src/utils.rs @@ -1,6 +1,7 @@ use ark_ec::AffineRepr; use ark_ff::fields::PrimeField; -use core::ops::Add; +use core::ops::{Add, Sub}; +use std::fmt; pub fn vector_elem_product(a: &Vec, e: &F) -> Vec { // maybe move this method to operator a * e @@ -30,6 +31,11 @@ pub fn hadamard_product(a: Vec, b: Vec) -> Vec { r } +// rlin: random linear combination +// pub fn rlin(a: Vec, b: Vec, r: F) -> Vec { +// vec_add(a, vector_elem_product(&b, &r)) // WIP probably group loops +// } + pub fn naive_msm(s: &Vec, p: &Vec) -> C { // check lengths @@ -47,17 +53,6 @@ pub fn vec_add(a: Vec, b: Vec) -> Vec { } r } -// TODO instead of vec_add do: -// impl<'a, 'b, F> Add<&'b Vec> for &'a Vec { -// type Output = Vec; -// fn add(self, rhs: &'b Vec) -> Vec { -// let mut r: Vec = vec![F::zero(); self.len()]; -// for i in 0..self.len() { -// r[i] = self[i] + rhs[i]; -// } -// r -// } -// } pub fn vec_sub(a: Vec, b: Vec) -> Vec { let mut r: Vec = vec![F::zero(); a.len()]; for i in 0..a.len() { @@ -66,6 +61,48 @@ pub fn vec_sub(a: Vec, b: Vec) -> Vec { r } +// instead of vec_{add/sub} can use Ve wrapper which has '+', '-' operators +#[derive(Debug, Clone, PartialEq)] +pub struct Ve(pub Vec); + +impl fmt::Display for Ve { + fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result { + for (i, e) in self.0.iter().enumerate() { + if i == self.0.len() - 1 { + write!(f, "{}", e)?; + break; + } + write!(f, "{}, ", e)?; + } + Ok(()) + } +} + +impl Add> for Ve { + type Output = Ve; + fn add(self, rhs_vec: Self) -> Ve { + let lhs = self.0.clone(); + let rhs = rhs_vec.0.clone(); + let mut r: Vec = vec![F::zero(); lhs.len()]; + for i in 0..self.0.len() { + r[i] = lhs[i] + rhs[i]; + } + Ve(r) + } +} +impl Sub> for Ve { + type Output = Ve; + fn sub(self, rhs_vec: Self) -> Ve { + let lhs = self.0.clone(); + let rhs = rhs_vec.0.clone(); + let mut r: Vec = vec![F::zero(); lhs.len()]; + for i in 0..self.0.len() { + r[i] = lhs[i] - rhs[i]; + } + Ve(r) + } +} + pub fn to_F_matrix(M: Vec>) -> Vec> { let mut R: Vec> = vec![Vec::new(); M.len()]; for i in 0..M.len() { @@ -114,6 +151,12 @@ mod tests { to_F_vec(vec![7, 16, 27, 40, 55, 72]) ); } + #[test] + fn test_vec_add() { + let a: Vec = to_F_vec::(vec![1, 2, 3, 4, 5, 6]); + let b: Vec = to_F_vec(vec![7, 8, 9, 10, 11, 12]); + assert_eq!(vec_add(a.clone(), b.clone()), (Ve(a) + Ve(b)).0); + } #[test] fn test_ABC_hadamard() {