arnaucube/nova-study
1
0
Fork 0
mirror of https://github.com/arnaucube/nova-study.git synced 2026-01-09 23:51:29 +01:00
Code Issues Projects Releases Wiki Activity

update vec commitment, add check of comm E, W in NIFS test

Browse Source
This commit is contained in:
arnaucube
2023-04-19 22:25:29 +02:00
parent ab2b047402
commit ba567dffde
3 changed files with 61 additions and 85 deletions
Download Patch File Download Diff File Expand all files Collapse all files

95
src/nifs.rs
View File

@@ -3,7 +3,7 @@ use ark_std::ops::Add;
use ark_std::One; use ark_std::One;
use std::marker::PhantomData; use std::marker::PhantomData;
use crate::pedersen::{Commitment, CommitmentVec, Params as PedersenParams, Pedersen}; use crate::pedersen::{Commitment, Params as PedersenParams, Pedersen};
use crate::r1cs::*; use crate::r1cs::*;
use crate::transcript::Transcript; use crate::transcript::Transcript;
use crate::utils::*; use crate::utils::*;
@@ -14,37 +14,28 @@ use ark_std::{
// Phi: φ in the paper (later 𝖴), a folded instance // Phi: φ in the paper (later 𝖴), a folded instance
pub struct Phi<C: AffineRepr> { pub struct Phi<C: AffineRepr> {
// cmE: CommitmentVec<C>, // TODO not Commitment but directly C (without rE) cmE: Commitment<C>,
cmE: C,
u: C::ScalarField, u: C::ScalarField,
// cmW: CommitmentVec<C>, // TODO not Commitment but directly C (without rW) cmW: Commitment<C>,
cmW: C,
x: Vec<C::ScalarField>, x: Vec<C::ScalarField>,
} }
// FWit: Folded Witness // FWit: Folded Witness
pub struct FWit<C: AffineRepr> { pub struct FWit<C: AffineRepr> {
E: Vec<C::ScalarField>, E: Vec<C::ScalarField>,
rE: C::ScalarField,
W: Vec<C::ScalarField>, W: Vec<C::ScalarField>,
rW: C::ScalarField,
} }
impl<C: AffineRepr> FWit<C> { impl<C: AffineRepr> FWit<C> {
pub fn commit<R: Rng>( pub fn commit(self, params: &PedersenParams<C>, x: &Vec<C::ScalarField>) -> Phi<C> {
&self, // TODO instead of r_vec, use self.rE and self.rW for the commit
rng: &mut R, let cmE = Pedersen::commit(&params.r_vec, &self.E);
params: &PedersenParams<C>, let cmW = Pedersen::commit(&params.r_vec, &self.W);
x: Vec<C::ScalarField>,
) -> Phi<C> {
// TODO instead of rand r, use self.rE and self.rW for the commit_vec
let cmE = Pedersen::commit_vec(rng, &params, &self.E);
let cmW = Pedersen::commit_vec(rng, &params, &self.W);
Phi { Phi {
cmE: cmE.cm, cmE,
u: C::ScalarField::one(), u: C::ScalarField::one(),
cmW: cmW.cm, cmW,
x, x: x.clone(),
} }
} }
} }
@@ -91,19 +82,15 @@ impl<C: AffineRepr> NIFS<C> {
let E: Vec<C::ScalarField> = vec_add( let E: Vec<C::ScalarField> = vec_add(
// this syntax will be simplified with future operators impl (or at least a method // this syntax will be simplified with future operators impl (or at least a method
// for r-lin) // for r-lin)
vec_add(fw1.E.clone(), vector_elem_product(&T, &r)), &vec_add(&fw1.E, &vector_elem_product(&T, &r)),
// rlin(fw1.E.clone(), T, r), // rlin(fw1.E.clone(), T, r),
vector_elem_product(&fw2.E, &r2), &vector_elem_product(&fw2.E, &r2),
); );
let rE = fw1.rE + r2 * fw2.rE; // TODO rT let W = vec_add(&fw1.W, &vector_elem_product(&fw2.W, &r));
let W = vec_add(fw1.W.clone(), vector_elem_product(&fw2.W, &r));
// let W = rlin(fw1.W.clone(), fw2.W.clone(), r); // let W = rlin(fw1.W.clone(), fw2.W.clone(), r);
let rW = fw1.rW + r * fw2.rW;
FWit::<C> { FWit::<C> {
E: E.into(), E: E.into(),
rE,
W: W.into(), W: W.into(),
rW,
} }
} }
@@ -111,28 +98,20 @@ impl<C: AffineRepr> NIFS<C> {
r: C::ScalarField, r: C::ScalarField,
phi1: Phi<C>, phi1: Phi<C>,
phi2: Phi<C>, phi2: Phi<C>,
cmT: CommitmentVec<C>, cmT: Commitment<C>,
) -> Phi<C> { ) -> Phi<C> {
let r2 = r * r; let r2 = r * r;
let cmE = phi1.cmE + cmT.cm.mul(r) + phi2.cmE.mul(r2); let cmE = phi1.cmE.0 + cmT.0.mul(r) + phi2.cmE.0.mul(r2);
let u = phi1.u + r * phi2.u; let u = phi1.u + r * phi2.u;
let cmW = phi1.cmW + phi2.cmW.mul(r); let cmW = phi1.cmW.0 + phi2.cmW.0.mul(r);
let x = vec_add(phi1.x, vector_elem_product(&phi2.x, &r)); let x = vec_add(&phi1.x, &vector_elem_product(&phi2.x, &r));
// let x = rlin(phi1.x, phi2.x, r); // let x = rlin(phi1.x, phi2.x, r);
Phi::<C> { Phi::<C> {
// cmE: Commitment::<C> { cmE: Commitment(cmE.into()),
// cm: cmE.into(),
// r: phi1.cmE.r,
// },
cmE: cmE.into(),
u, u,
// cmW: Commitment::<C> { cmW: Commitment(cmW.into()),
// cm: cmW.into(),
// r: phi1.cmW.r,
// },
cmW: cmW.into(),
x, x,
} }
} }
@@ -194,44 +173,44 @@ mod tests {
.relax(); .relax();
let T = NIFS::<G1Affine>::comp_T(relaxed_r1cs_1, relaxed_r1cs_2, &z1, &z2); let T = NIFS::<G1Affine>::comp_T(relaxed_r1cs_1, relaxed_r1cs_2, &z1, &z2);
let params = Pedersen::<G1Affine>::new_params(&mut rng); let pedersen_params = Pedersen::<G1Affine>::new_params(&mut rng, 100); // 100 is wip, will get it from actual vec
let cmT = Pedersen::commit_vec(&mut rng, &params, &T); let cmT = Pedersen::commit(&pedersen_params.r_vec, &T);
let r = Fr::rand(&mut rng); // this would come from the transcript let r = Fr::rand(&mut rng); // this would come from the transcript
// WIP TMP // WIP TMP
let fw1 = FWit::<G1Affine> { let fw1 = FWit::<G1Affine> {
E: vec![Fr::zero(); T.len()], E: vec![Fr::zero(); T.len()],
rE: Fr::zero(),
W: z1, W: z1,
rW: Fr::zero(),
}; };
let fw2 = FWit::<G1Affine> { let fw2 = FWit::<G1Affine> {
E: vec![Fr::zero(); T.len()], E: vec![Fr::zero(); T.len()],
rE: Fr::zero(),
W: z2, W: z2,
rW: Fr::zero(),
}; };
// fold witness // fold witness
let folded_witness = NIFS::<G1Affine>::fold_witness(r, &fw1, &fw2, T); let fw3 = NIFS::<G1Affine>::fold_witness(r, &fw1, &fw2, T);
let pedersen_params = Pedersen::<G1Affine>::new_params(&mut rng); // let pedersen_params = Pedersen::<G1Affine>::new_params(&mut rng, 100); // 100 is wip, will get it from actual vec
let phi1 = fw1.commit(&mut rng, &pedersen_params, x1); // wip let phi1 = fw1.commit(&pedersen_params, &x1); // wip
let phi2 = fw2.commit(&mut rng, &pedersen_params, x2); let phi2 = fw2.commit(&pedersen_params, &x2);
// fold instance // fold instance
let folded_instance = NIFS::<G1Affine>::fold_instance(r, phi1, phi2, cmT); let phi3 = NIFS::<G1Affine>::fold_instance(r, phi1, phi2, cmT);
// naive check that the folded witness satisfies the relaxed r1cs // naive check that the folded witness satisfies the relaxed r1cs
let Az = matrix_vector_product(&A, &folded_witness.W); let Az = matrix_vector_product(&A, &fw3.W);
let Bz = matrix_vector_product(&B, &folded_witness.W); let Bz = matrix_vector_product(&B, &fw3.W);
let Cz = matrix_vector_product(&C, &folded_witness.W); let Cz = matrix_vector_product(&C, &fw3.W);
assert_eq!( assert_eq!(
hadamard_product(Az, Bz), hadamard_product(Az, Bz),
vec_add( vec_add(&vector_elem_product(&Cz, &phi3.u), &fw3.E)
vector_elem_product(&Cz, &folded_instance.u),
folded_witness.E
)
); );
// check that folded commitments from folded instance (phi) are equal to folding the
// witnesses and committing into it
let x3 = vec_add(&x1, &vector_elem_product(&x2, &r));
let phi3_expected = fw3.commit(&pedersen_params, &x3);
assert_eq!(phi3_expected.cmE.0, phi3.cmE.0);
assert_eq!(phi3_expected.cmW.0, phi3.cmW.0);
} }
} }

45
src/pedersen.rs
View File

@@ -17,6 +17,7 @@ pub struct Proof<C: AffineRepr> {
pub struct Params<C: AffineRepr> { pub struct Params<C: AffineRepr> {
g: C, g: C,
h: C, h: C,
pub r_vec: Vec<C>,
} }
pub struct Pedersen<C: AffineRepr> { pub struct Pedersen<C: AffineRepr> {
@@ -24,12 +25,14 @@ pub struct Pedersen<C: AffineRepr> {
} }
impl<C: AffineRepr> Pedersen<C> { impl<C: AffineRepr> Pedersen<C> {
pub fn new_params<R: Rng>(rng: &mut R) -> Params<C> { pub fn new_params<R: Rng>(rng: &mut R, max: usize) -> Params<C> {
let h_scalar = C::ScalarField::rand(rng); let h_scalar = C::ScalarField::rand(rng);
let g: C = C::generator(); let g: C = C::generator();
let r_vec: Vec<C> = vec![C::rand(rng); max];
let params: Params<C> = Params::<C> { let params: Params<C> = Params::<C> {
g, g,
h: g.mul(h_scalar).into(), h: g.mul(h_scalar).into(),
r_vec, // will need 2 r: rE, rW
}; };
params params
} }
@@ -38,22 +41,17 @@ impl<C: AffineRepr> Pedersen<C> {
rng: &mut R, rng: &mut R,
params: &Params<C>, params: &Params<C>,
v: &C::ScalarField, v: &C::ScalarField,
) -> Commitment<C> { ) -> CommitmentElem<C> {
let r = C::ScalarField::rand(rng); let r = C::ScalarField::rand(rng);
let cm: C = (params.g.mul(v) + params.h.mul(r)).into(); let cm: C = (params.g.mul(v) + params.h.mul(r)).into();
Commitment::<C> { cm, r } CommitmentElem::<C> { cm, r }
} }
pub fn commit_vec<R: RngCore>( pub fn commit(rs: &Vec<C>, v: &Vec<C::ScalarField>) -> Commitment<C> {
rng: &mut R, let cm = naive_msm(v, &rs);
params: &Params<C>, Commitment::<C>(cm)
v: &Vec<C::ScalarField>,
) -> CommitmentVec<C> {
let r: Vec<C> = vec![C::rand(rng); v.len()]; // wip
let cm = naive_msm(v, &r);
CommitmentVec::<C> { cm, r }
} }
pub fn prove( pub fn prove_elem(
params: &Params<C>, params: &Params<C>,
transcript: &mut Transcript<C::ScalarField>, transcript: &mut Transcript<C::ScalarField>,
cm: C, cm: C,
@@ -75,7 +73,7 @@ impl<C: AffineRepr> Pedersen<C> {
Proof::<C> { R, t1, t2 } Proof::<C> { R, t1, t2 }
} }
pub fn verify( pub fn verify_elem(
params: &Params<C>, params: &Params<C>,
transcript: &mut Transcript<C::ScalarField>, transcript: &mut Transcript<C::ScalarField>,
cm: C, cm: C,
@@ -97,23 +95,20 @@ impl<C: AffineRepr> Pedersen<C> {
} }
} }
pub struct CommitmentVec<C: AffineRepr> { pub struct Commitment<C: AffineRepr>(pub C);
// WIP
pub cm: C, pub struct CommitmentElem<C: AffineRepr> {
pub r: Vec<C>,
}
pub struct Commitment<C: AffineRepr> {
pub cm: C, pub cm: C,
pub r: C::ScalarField, pub r: C::ScalarField,
} }
impl<C: AffineRepr> Commitment<C> { impl<C: AffineRepr> CommitmentElem<C> {
pub fn prove( pub fn prove(
&self, &self,
params: &Params<C>, params: &Params<C>,
transcript: &mut Transcript<C::ScalarField>, transcript: &mut Transcript<C::ScalarField>,
v: C::ScalarField, v: C::ScalarField,
) -> Proof<C> { ) -> Proof<C> {
Pedersen::<C>::prove(params, transcript, self.cm, v, self.r) Pedersen::<C>::prove_elem(params, transcript, self.cm, v, self.r)
} }
} }
@@ -129,7 +124,9 @@ mod tests {
let mut rng = ark_std::test_rng(); let mut rng = ark_std::test_rng();
// setup params // setup params
let params = Pedersen::<G1Affine>::new_params(&mut rng); let params = Pedersen::<G1Affine>::new_params(
&mut rng, 0, /* 0, as here we don't use commit_vec */
);
// init Prover's transcript // init Prover's transcript
let mut transcript_p: Transcript<Fr> = Transcript::<Fr>::new(); let mut transcript_p: Transcript<Fr> = Transcript::<Fr>::new();
@@ -141,8 +138,8 @@ mod tests {
let cm = Pedersen::commit_elem(&mut rng, &params, &v); let cm = Pedersen::commit_elem(&mut rng, &params, &v);
let proof = cm.prove(&params, &mut transcript_p, v); let proof = cm.prove(&params, &mut transcript_p, v);
// also can use: // also can use:
// let proof = Pedersen::prove(&params, &mut transcript_p, cm.cm, v, cm.r); // let proof = Pedersen::prove_elem(&params, &mut transcript_p, cm.cm, v, cm.r);
let v = Pedersen::verify(&params, &mut transcript_v, cm.cm, proof); let v = Pedersen::verify_elem(&params, &mut transcript_v, cm.cm, proof);
assert!(v); assert!(v);
} }
} }

6
src/utils.rs
View File

@@ -37,7 +37,7 @@ pub fn hadamard_product<F: PrimeField>(a: Vec<F>, b: Vec<F>) -> Vec<F> {
// } // }
pub fn naive_msm<C: AffineRepr>(s: &Vec<C::ScalarField>, p: &Vec<C>) -> C { pub fn naive_msm<C: AffineRepr>(s: &Vec<C::ScalarField>, p: &Vec<C>) -> C {
// check lengths // TODO check lengths, or at least check s.len()>= p.len()
let mut r = p[0].mul(s[0]); let mut r = p[0].mul(s[0]);
for i in 1..s.len() { for i in 1..s.len() {
@@ -46,7 +46,7 @@ pub fn naive_msm<C: AffineRepr>(s: &Vec<C::ScalarField>, p: &Vec<C>) -> C {
r.into() r.into()
} }
pub fn vec_add<F: PrimeField>(a: Vec<F>, b: Vec<F>) -> Vec<F> { pub fn vec_add<F: PrimeField>(a: &Vec<F>, b: &Vec<F>) -> Vec<F> {
let mut r: Vec<F> = vec![F::zero(); a.len()]; let mut r: Vec<F> = vec![F::zero(); a.len()];
for i in 0..a.len() { for i in 0..a.len() {
r[i] = a[i] + b[i]; r[i] = a[i] + b[i];
@@ -155,7 +155,7 @@ mod tests {
fn test_vec_add() { fn test_vec_add() {
let a: Vec<Fr> = to_F_vec::<Fr>(vec![1, 2, 3, 4, 5, 6]); let a: Vec<Fr> = to_F_vec::<Fr>(vec![1, 2, 3, 4, 5, 6]);
let b: Vec<Fr> = to_F_vec(vec![7, 8, 9, 10, 11, 12]); let b: Vec<Fr> = to_F_vec(vec![7, 8, 9, 10, 11, 12]);
assert_eq!(vec_add(a.clone(), b.clone()), (Ve(a) + Ve(b)).0); assert_eq!(vec_add(&a, &b), (Ve(a) + Ve(b)).0);
} }
#[test] #[test]