arnaucube/nova-study
1
0
Fork 0
mirror of https://github.com/arnaucube/nova-study.git synced 2026-01-09 23:51:29 +01:00
Code Issues Projects Releases Wiki Activity

folding witness & crossterms works, add Ve helpers

Browse Source
This commit is contained in:
arnaucube
2023-04-19 16:18:41 +02:00
parent 5a43ecd268
commit ab2b047402
3 changed files with 133 additions and 42 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@@ -4,6 +4,6 @@ Implementation of [Nova](https://eprint.iacr.org/2021/370.pdf) using [arkworks-r
> Warning: Implementation from scratch to learn the internals of Nova. Do not use in production. > Warning: Implementation from scratch to learn the internals of Nova. Do not use in production.
This repo is an ongoing implementation, the code will be dirty for a while and not optimized and not to be used but just to understand and experiment with the internals of the scheme and try experimental combinations. This repo is an ongoing implementation, the code will be dirty for a while and not optimized but just to understand and experiment with the internals of the scheme and try experimental combinations.
Thanks to [levs57](https://twitter.com/levs57) for clarifications on the Nova folding. Thanks to [levs57](https://twitter.com/levs57) for clarifications on the Nova folding.

106
src/nifs.rs
View File

@@ -1,17 +1,24 @@
use ark_ec::AffineRepr; use ark_ec::AffineRepr;
use ark_std::ops::Add; use ark_std::ops::Add;
use ark_std::One;
use std::marker::PhantomData; use std::marker::PhantomData;
use crate::pedersen::{Commitment, CommitmentVec}; use crate::pedersen::{Commitment, CommitmentVec, Params as PedersenParams, Pedersen};
use crate::r1cs::*; use crate::r1cs::*;
use crate::transcript::Transcript; use crate::transcript::Transcript;
use crate::utils::*; use crate::utils::*;
use ark_std::{
rand::{Rng, RngCore},
UniformRand,
};
// Phi: φ in the paper (later 𝖴), a folded instance // Phi: φ in the paper (later 𝖴), a folded instance
pub struct Phi<C: AffineRepr> { pub struct Phi<C: AffineRepr> {
cmE: Commitment<C>, // TODO not Commitment but directly C (without rE) // cmE: CommitmentVec<C>, // TODO not Commitment but directly C (without rE)
cmE: C,
u: C::ScalarField, u: C::ScalarField,
cmW: Commitment<C>, // TODO not Commitment but directly C (without rW) // cmW: CommitmentVec<C>, // TODO not Commitment but directly C (without rW)
cmW: C,
x: Vec<C::ScalarField>, x: Vec<C::ScalarField>,
} }
@@ -24,8 +31,21 @@ pub struct FWit<C: AffineRepr> {
} }
impl<C: AffineRepr> FWit<C> { impl<C: AffineRepr> FWit<C> {
pub fn commit(&self) -> Phi<C> { pub fn commit<R: Rng>(
unimplemented!(); &self,
rng: &mut R,
params: &PedersenParams<C>,
x: Vec<C::ScalarField>,
) -> Phi<C> {
// TODO instead of rand r, use self.rE and self.rW for the commit_vec
let cmE = Pedersen::commit_vec(rng, &params, &self.E);
let cmW = Pedersen::commit_vec(rng, &params, &self.W);
Phi {
cmE: cmE.cm,
u: C::ScalarField::one(),
cmW: cmW.cm,
x,
}
} }
} }
@@ -46,17 +66,19 @@ impl<C: AffineRepr> NIFS<C> {
// this is parallelizable (for the future) // this is parallelizable (for the future)
let Az1 = matrix_vector_product(&A, &z1); let Az1 = matrix_vector_product(&A, &z1);
let Bz1 = matrix_vector_product(&B, &z1); let Bz1 = matrix_vector_product(&B, &z1);
let Az1_Bz1 = hadamard_product(Az1, Bz1); let Cz1 = matrix_vector_product(&C, &z1);
let Az2 = matrix_vector_product(&A, &z2); let Az2 = matrix_vector_product(&A, &z2);
let Bz2 = matrix_vector_product(&B, &z2); let Bz2 = matrix_vector_product(&B, &z2);
let Az2_Bz2 = hadamard_product(Az2, Bz2);
let Cz2 = matrix_vector_product(&C, &z2); let Cz2 = matrix_vector_product(&C, &z2);
let Cz1 = matrix_vector_product(&C, &z1);
let Az1_Bz2 = hadamard_product(Az1, Bz2);
let Az2_Bz1 = hadamard_product(Az2, Bz1);
let u1Cz2 = vector_elem_product(&Cz2, &cs1.u); let u1Cz2 = vector_elem_product(&Cz2, &cs1.u);
let u2Cz1 = vector_elem_product(&Cz1, &cs2.u); let u2Cz1 = vector_elem_product(&Cz1, &cs2.u);
// this will get simplifyied with future operators from Add trait
let T = vec_sub(vec_sub(vec_add(Az1_Bz1, Az2_Bz2), u1Cz2), u2Cz1); // let T = vec_sub(vec_sub(vec_add(Az1_Bz2, Az2_Bz1), u1Cz2), u2Cz1);
T let T = ((Ve(Az1_Bz2) + Ve(Az2_Bz1)) - Ve(u1Cz2)) - Ve(u2Cz1);
T.0
} }
pub fn fold_witness( pub fn fold_witness(
@@ -67,12 +89,15 @@ impl<C: AffineRepr> NIFS<C> {
) -> FWit<C> { ) -> FWit<C> {
let r2 = r * r; let r2 = r * r;
let E: Vec<C::ScalarField> = vec_add( let E: Vec<C::ScalarField> = vec_add(
// TODO this syntax will be simplified with future operators impl // this syntax will be simplified with future operators impl (or at least a method
// for r-lin)
vec_add(fw1.E.clone(), vector_elem_product(&T, &r)), vec_add(fw1.E.clone(), vector_elem_product(&T, &r)),
// rlin(fw1.E.clone(), T, r),
vector_elem_product(&fw2.E, &r2), vector_elem_product(&fw2.E, &r2),
); );
let rE = fw1.rE + r * fw2.rE; let rE = fw1.rE + r2 * fw2.rE; // TODO rT
let W = vec_add(fw1.W.clone(), vector_elem_product(&fw2.W, &r)); let W = vec_add(fw1.W.clone(), vector_elem_product(&fw2.W, &r));
// let W = rlin(fw1.W.clone(), fw2.W.clone(), r);
let rW = fw1.rW + r * fw2.rW; let rW = fw1.rW + r * fw2.rW;
FWit::<C> { FWit::<C> {
E: E.into(), E: E.into(),
@@ -90,21 +115,24 @@ impl<C: AffineRepr> NIFS<C> {
) -> Phi<C> { ) -> Phi<C> {
let r2 = r * r; let r2 = r * r;
let cmE = phi1.cmE.cm + cmT.cm.mul(r) + phi2.cmE.cm.mul(r2); let cmE = phi1.cmE + cmT.cm.mul(r) + phi2.cmE.mul(r2);
let u = phi1.u + r * phi2.u; let u = phi1.u + r * phi2.u;
let cmW = phi1.cmW.cm + phi2.cmW.cm.mul(r); let cmW = phi1.cmW + phi2.cmW.mul(r);
let x = vec_add(phi1.x, vector_elem_product(&phi2.x, &r)); let x = vec_add(phi1.x, vector_elem_product(&phi2.x, &r));
// let x = rlin(phi1.x, phi2.x, r);
Phi::<C> { Phi::<C> {
cmE: Commitment::<C> { // cmE: Commitment::<C> {
cm: cmE.into(), // cm: cmE.into(),
r: phi1.cmE.r, // r: phi1.cmE.r,
}, // },
cmE: cmE.into(),
u, u,
cmW: Commitment::<C> { // cmW: Commitment::<C> {
cm: cmW.into(), // cm: cmW.into(),
r: phi1.cmW.r, // r: phi1.cmW.r,
}, // },
cmW: cmW.into(),
x, x,
} }
} }
@@ -127,7 +155,8 @@ mod tests {
fn test_simple_folding() { fn test_simple_folding() {
let mut rng = ark_std::test_rng(); let mut rng = ark_std::test_rng();
// R1CS for: x^3 + x + 5 = y // R1CS for: x^3 + x + 5 = y (example from article
// https://www.vitalik.ca/general/2016/12/10/qap.html )
let A = to_F_matrix::<Fr>(vec![ let A = to_F_matrix::<Fr>(vec![
vec![0, 1, 0, 0, 0, 0], vec![0, 1, 0, 0, 0, 0],
vec![0, 0, 0, 1, 0, 0], vec![0, 0, 0, 1, 0, 0],
@@ -147,7 +176,9 @@ mod tests {
vec![0, 0, 1, 0, 0, 0], vec![0, 0, 1, 0, 0, 0],
]); ]);
let z1 = to_F_vec::<Fr>(vec![1, 3, 35, 9, 27, 30]); let z1 = to_F_vec::<Fr>(vec![1, 3, 35, 9, 27, 30]);
let x1 = to_F_vec::<Fr>(vec![35]);
let z2 = to_F_vec::<Fr>(vec![1, 4, 73, 16, 64, 68]); let z2 = to_F_vec::<Fr>(vec![1, 4, 73, 16, 64, 68]);
let x2 = to_F_vec::<Fr>(vec![73]);
let relaxed_r1cs_1 = R1CS::<Fr> { let relaxed_r1cs_1 = R1CS::<Fr> {
A: A.clone(), A: A.clone(),
@@ -155,7 +186,12 @@ mod tests {
C: C.clone(), C: C.clone(),
} }
.relax(); .relax();
let relaxed_r1cs_2 = R1CS::<Fr> { A, B, C }.relax(); let relaxed_r1cs_2 = R1CS::<Fr> {
A: A.clone(),
B: B.clone(),
C: C.clone(),
}
.relax();
let T = NIFS::<G1Affine>::comp_T(relaxed_r1cs_1, relaxed_r1cs_2, &z1, &z2); let T = NIFS::<G1Affine>::comp_T(relaxed_r1cs_1, relaxed_r1cs_2, &z1, &z2);
let params = Pedersen::<G1Affine>::new_params(&mut rng); let params = Pedersen::<G1Affine>::new_params(&mut rng);
@@ -179,11 +215,23 @@ mod tests {
// fold witness // fold witness
let folded_witness = NIFS::<G1Affine>::fold_witness(r, &fw1, &fw2, T); let folded_witness = NIFS::<G1Affine>::fold_witness(r, &fw1, &fw2, T);
let phi1 = fw1.commit(); // <- unimplemented
let phi2 = fw2.commit(); let pedersen_params = Pedersen::<G1Affine>::new_params(&mut rng);
let phi1 = fw1.commit(&mut rng, &pedersen_params, x1); // wip
let phi2 = fw2.commit(&mut rng, &pedersen_params, x2);
// fold instance // fold instance
let folded_instance = NIFS::<G1Affine>::fold_instance(r, phi1, phi2, cmT); let folded_instance = NIFS::<G1Affine>::fold_instance(r, phi1, phi2, cmT);
// naive check r1cs of the folded witness
// assert_eq!(hadamard_product(Az, Bz), vec_add(vector_elem_product(Cz, u), E)); // naive check that the folded witness satisfies the relaxed r1cs
let Az = matrix_vector_product(&A, &folded_witness.W);
let Bz = matrix_vector_product(&B, &folded_witness.W);
let Cz = matrix_vector_product(&C, &folded_witness.W);
assert_eq!(
hadamard_product(Az, Bz),
vec_add(
vector_elem_product(&Cz, &folded_instance.u),
folded_witness.E
)
);
} }
} }

67
src/utils.rs
View File

@@ -1,6 +1,7 @@
use ark_ec::AffineRepr; use ark_ec::AffineRepr;
use ark_ff::fields::PrimeField; use ark_ff::fields::PrimeField;
use core::ops::Add; use core::ops::{Add, Sub};
use std::fmt;
pub fn vector_elem_product<F: PrimeField>(a: &Vec<F>, e: &F) -> Vec<F> { pub fn vector_elem_product<F: PrimeField>(a: &Vec<F>, e: &F) -> Vec<F> {
// maybe move this method to operator a * e // maybe move this method to operator a * e
@@ -30,6 +31,11 @@ pub fn hadamard_product<F: PrimeField>(a: Vec<F>, b: Vec<F>) -> Vec<F> {
r r
} }
// rlin: random linear combination
// pub fn rlin<F: PrimeField>(a: Vec<F>, b: Vec<F>, r: F) -> Vec<F> {
// vec_add(a, vector_elem_product(&b, &r)) // WIP probably group loops
// }
pub fn naive_msm<C: AffineRepr>(s: &Vec<C::ScalarField>, p: &Vec<C>) -> C { pub fn naive_msm<C: AffineRepr>(s: &Vec<C::ScalarField>, p: &Vec<C>) -> C {
// check lengths // check lengths
@@ -47,17 +53,6 @@ pub fn vec_add<F: PrimeField>(a: Vec<F>, b: Vec<F>) -> Vec<F> {
} }
r r
} }
// TODO instead of vec_add do:
// impl<'a, 'b, F> Add<&'b Vec<F>> for &'a Vec<F> {
// type Output = Vec<F>;
// fn add(self, rhs: &'b Vec<F>) -> Vec<F> {
// let mut r: Vec<F> = vec![F::zero(); self.len()];
// for i in 0..self.len() {
// r[i] = self[i] + rhs[i];
// }
// r
// }
// }
pub fn vec_sub<F: PrimeField>(a: Vec<F>, b: Vec<F>) -> Vec<F> { pub fn vec_sub<F: PrimeField>(a: Vec<F>, b: Vec<F>) -> Vec<F> {
let mut r: Vec<F> = vec![F::zero(); a.len()]; let mut r: Vec<F> = vec![F::zero(); a.len()];
for i in 0..a.len() { for i in 0..a.len() {
@@ -66,6 +61,48 @@ pub fn vec_sub<F: PrimeField>(a: Vec<F>, b: Vec<F>) -> Vec<F> {
r r
} }
// instead of vec_{add/sub} can use Ve wrapper which has '+', '-' operators
#[derive(Debug, Clone, PartialEq)]
pub struct Ve<F: PrimeField>(pub Vec<F>);
impl<F: PrimeField> fmt::Display for Ve<F> {
fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
for (i, e) in self.0.iter().enumerate() {
if i == self.0.len() - 1 {
write!(f, "{}", e)?;
break;
}
write!(f, "{}, ", e)?;
}
Ok(())
}
}
impl<F: PrimeField> Add<Ve<F>> for Ve<F> {
type Output = Ve<F>;
fn add(self, rhs_vec: Self) -> Ve<F> {
let lhs = self.0.clone();
let rhs = rhs_vec.0.clone();
let mut r: Vec<F> = vec![F::zero(); lhs.len()];
for i in 0..self.0.len() {
r[i] = lhs[i] + rhs[i];
}
Ve(r)
}
}
impl<F: PrimeField> Sub<Ve<F>> for Ve<F> {
type Output = Ve<F>;
fn sub(self, rhs_vec: Self) -> Ve<F> {
let lhs = self.0.clone();
let rhs = rhs_vec.0.clone();
let mut r: Vec<F> = vec![F::zero(); lhs.len()];
for i in 0..self.0.len() {
r[i] = lhs[i] - rhs[i];
}
Ve(r)
}
}
pub fn to_F_matrix<F: PrimeField>(M: Vec<Vec<usize>>) -> Vec<Vec<F>> { pub fn to_F_matrix<F: PrimeField>(M: Vec<Vec<usize>>) -> Vec<Vec<F>> {
let mut R: Vec<Vec<F>> = vec![Vec::new(); M.len()]; let mut R: Vec<Vec<F>> = vec![Vec::new(); M.len()];
for i in 0..M.len() { for i in 0..M.len() {
@@ -114,6 +151,12 @@ mod tests {
to_F_vec(vec![7, 16, 27, 40, 55, 72]) to_F_vec(vec![7, 16, 27, 40, 55, 72])
); );
} }
#[test]
fn test_vec_add() {
let a: Vec<Fr> = to_F_vec::<Fr>(vec![1, 2, 3, 4, 5, 6]);
let b: Vec<Fr> = to_F_vec(vec![7, 8, 9, 10, 11, 12]);
assert_eq!(vec_add(a.clone(), b.clone()), (Ve(a) + Ve(b)).0);
}
#[test] #[test]
fn test_ABC_hadamard() { fn test_ABC_hadamard() {