// use ark_ec::AffineRepr; use ark_ec::{CurveGroup, Group}; use ark_ff::fields::PrimeField; use ark_std::{One, Zero}; use std::marker::PhantomData; use crate::pedersen::{Commitment, Params as PedersenParams, Pedersen, Proof as PedersenProof}; use crate::transcript::Transcript; use crate::utils::*; use ark_crypto_primitives::sponge::Absorb; pub struct R1CS { pub A: Vec>, pub B: Vec>, pub C: Vec>, } // Phi: φ in the paper (later 𝖴), a folded instance #[derive(Clone, Debug)] pub struct Phi { pub cmE: Commitment, pub u: C::ScalarField, pub cmW: Commitment, pub x: C::ScalarField, } // FWit: Folded Witness pub struct FWit { E: Vec, rE: C::ScalarField, W: Vec, rW: C::ScalarField, } impl FWit where ::ScalarField: Absorb, ::BaseField: Absorb, { pub fn new(z: Vec, e_len: usize) -> Self { FWit:: { E: vec![C::ScalarField::zero(); e_len], rE: C::ScalarField::one(), W: z, rW: C::ScalarField::one(), } } pub fn commit(&self, params: &PedersenParams) -> Phi { let cmE = Pedersen::commit(params, &self.E, &self.rE); let cmW = Pedersen::commit(params, &self.W, &self.rW); Phi { cmE, u: C::ScalarField::one(), cmW, x: self.W[0], // TODO WIP review } } } pub struct NIFS { _phantom: PhantomData, } impl NIFS where ::ScalarField: Absorb, ::BaseField: Absorb, { // comp_T: compute cross-terms T pub fn comp_T( r1cs: &R1CS, u1: C::ScalarField, u2: C::ScalarField, z1: &[C::ScalarField], z2: &[C::ScalarField], ) -> Vec { let (A, B, C) = (r1cs.A.clone(), r1cs.B.clone(), r1cs.C.clone()); // this is parallelizable (for the future) let Az1 = matrix_vector_product(&A, z1); let Bz1 = matrix_vector_product(&B, z1); let Cz1 = matrix_vector_product(&C, z1); let Az2 = matrix_vector_product(&A, z2); let Bz2 = matrix_vector_product(&B, z2); let Cz2 = matrix_vector_product(&C, z2); let Az1_Bz2 = hadamard_product(Az1, Bz2); let Az2_Bz1 = hadamard_product(Az2, Bz1); let u1Cz2 = vector_elem_product(&Cz2, &u1); let u2Cz1 = vector_elem_product(&Cz1, &u2); // let T = vec_sub(vec_sub(vec_add(Az1_Bz2, Az2_Bz1), u1Cz2), u2Cz1); let T = ((Ve(Az1_Bz2) + Ve(Az2_Bz1)) - Ve(u1Cz2)) - Ve(u2Cz1); T.0 } pub fn fold_witness( r: C::ScalarField, fw1: &FWit, fw2: &FWit, T: &Vec, rT: C::ScalarField, ) -> FWit { let r2 = r * r; let E: Vec = vec_add( // this syntax will be simplified with future operators impl (or at least a method // for r-lin) &vec_add(&fw1.E, &vector_elem_product(T, &r)), &vector_elem_product(&fw2.E, &r2), ); let rE = fw1.rE + r * rT + r2 * fw2.rE; let W = vec_add(&fw1.W, &vector_elem_product(&fw2.W, &r)); let rW = fw1.rW + r * fw2.rW; FWit:: { E, rE, W, rW } } pub fn fold_instance( r: C::ScalarField, phi1: &Phi, phi2: &Phi, cmT: &Commitment, ) -> Phi { let r2 = r * r; let cmE = phi1.cmE.0 + cmT.0.mul(r) + phi2.cmE.0.mul(r2); let u = phi1.u + r * phi2.u; let cmW = phi1.cmW.0 + phi2.cmW.0.mul(r); // let x = vec_add(&phi1.x, &vector_elem_product(&phi2.x, &r)); let x = phi1.x + r * phi2.x; Phi:: { cmE: Commitment(cmE), u, cmW: Commitment(cmW), x, } } // NIFS.P #[allow(clippy::type_complexity)] pub fn P( tr: &mut Transcript, pedersen_params: &PedersenParams, r: C::ScalarField, r1cs: &R1CS, fw1: FWit, fw2: FWit, ) -> (FWit, Phi, Phi, Vec, Commitment) { // compute committed instances let phi1 = fw1.commit(pedersen_params); // wip let phi2 = fw2.commit(pedersen_params); // compute cross terms let T = Self::comp_T(r1cs, phi1.u, phi2.u, &fw1.W, &fw2.W); let rT = tr.get_challenge(); // r_T let cmT = Pedersen::commit(pedersen_params, &T, &rT); // fold witness let fw3 = NIFS::::fold_witness(r, &fw1, &fw2, &T, rT); // fold committed instancs // let phi3 = NIFS::::fold_instance(r, &phi1, &phi2, &cmT); (fw3, phi1, phi2, T, cmT) // maybe return phi3 } // NIFS.V pub fn V(r: C::ScalarField, phi1: &Phi, phi2: &Phi, cmT: &Commitment) -> Phi { NIFS::::fold_instance(r, phi1, phi2, cmT) } // verify commited folded instance (phi) relations pub fn verify( r: C::ScalarField, phi1: &Phi, phi2: &Phi, phi3: &Phi, cmT: &Commitment, ) -> bool { let r2 = r * r; if phi3.cmE.0 != (phi1.cmE.0 + cmT.0.mul(r) + phi2.cmE.0.mul(r2)) { return false; } if phi3.u != phi1.u + r * phi2.u { return false; } if phi3.cmW.0 != (phi1.cmW.0 + phi2.cmW.0.mul(r)) { return false; } // if phi3.x != vec_add(&phi1.x, &vector_elem_product(&phi2.x, &r)) { if phi3.x != phi1.x + r * phi2.x { return false; } true } pub fn open_commitments( tr: &mut Transcript, pedersen_params: &PedersenParams, fw: &FWit, phi: &Phi, T: Vec, rT: C::ScalarField, cmT: &Commitment, ) -> (PedersenProof, PedersenProof, PedersenProof) { let cmE_proof = Pedersen::prove(pedersen_params, tr, &phi.cmE, &fw.E, &fw.rE); let cmW_proof = Pedersen::prove(pedersen_params, tr, &phi.cmW, &fw.W, &fw.rW); let cmT_proof = Pedersen::prove(pedersen_params, tr, cmT, &T, &rT); (cmE_proof, cmW_proof, cmT_proof) } pub fn verify_commitments( tr: &mut Transcript, pedersen_params: &PedersenParams, phi: Phi, cmT: Commitment, cmE_proof: PedersenProof, cmW_proof: PedersenProof, cmT_proof: PedersenProof, ) -> bool { if !Pedersen::verify(pedersen_params, tr, phi.cmE, cmE_proof) { return false; } if !Pedersen::verify(pedersen_params, tr, phi.cmW, cmW_proof) { return false; } if !Pedersen::verify(pedersen_params, tr, cmT, cmT_proof) { return false; } true } } // only for tests across different files pub fn gen_test_values(n: usize) -> (R1CS, Vec>, Vec>) { // R1CS for: x^3 + x + 5 = y (example from article // https://www.vitalik.ca/general/2016/12/10/qap.html ) let A = to_F_matrix::(vec![ vec![0, 1, 0, 0, 0, 0], vec![0, 0, 0, 1, 0, 0], vec![0, 1, 0, 0, 1, 0], vec![5, 0, 0, 0, 0, 1], ]); let B = to_F_matrix::(vec![ vec![0, 1, 0, 0, 0, 0], vec![0, 1, 0, 0, 0, 0], vec![1, 0, 0, 0, 0, 0], vec![1, 0, 0, 0, 0, 0], ]); let C = to_F_matrix::(vec![ vec![0, 0, 0, 1, 0, 0], vec![0, 0, 0, 0, 1, 0], vec![0, 0, 0, 0, 0, 1], vec![0, 0, 1, 0, 0, 0], ]); // generate n witnesses let mut w: Vec> = Vec::new(); let mut x: Vec> = Vec::new(); for i in 0..n { let input = 3 + i; let w_i = to_F_vec::(vec![ 1, input, input * input * input + input + 5, // x^3 + x + 5 input * input, // x^2 input * input * input, // x^2 * x input * input * input + input, // x^3 + x ]); w.push(w_i.clone()); let x_i = to_F_vec::(vec![input * input * input + input + 5]); x.push(x_i.clone()); } let r1cs = R1CS:: { A, B, C }; (r1cs, w, x) } #[cfg(test)] mod tests { use super::*; use crate::pedersen::Pedersen; use crate::transcript::poseidon_test_config; use ark_mnt4_298::{Fr, G1Projective}; use ark_std::One; use ark_std::UniformRand; // fold 2 instances into one #[test] fn test_one_fold() { let mut rng = ark_std::test_rng(); let pedersen_params = Pedersen::::new_params(&mut rng, 100); // 100 is wip, will get it from actual vec let poseidon_config = poseidon_test_config::(); let (r1cs, ws, _) = gen_test_values(2); let (A, B, C) = (r1cs.A.clone(), r1cs.B.clone(), r1cs.C.clone()); let r = Fr::rand(&mut rng); // this would come from the transcript let fw1 = FWit::::new(ws[0].clone(), A.len()); let fw2 = FWit::::new(ws[1].clone(), A.len()); // get committed instances let phi1 = fw1.commit(&pedersen_params); // wip let phi2 = fw2.commit(&pedersen_params); let T = NIFS::::comp_T(&r1cs, phi1.u, phi2.u, &ws[0], &ws[1]); let rT: Fr = Fr::rand(&mut rng); let cmT = Pedersen::commit(&pedersen_params, &T, &rT); // fold witness let fw3 = NIFS::::fold_witness(r, &fw1, &fw2, &T, rT); // fold instance let phi3 = NIFS::::fold_instance(r, &phi1, &phi2, &cmT); // naive check that the folded witness satisfies the relaxed r1cs let Az = matrix_vector_product(&A, &fw3.W); let Bz = matrix_vector_product(&B, &fw3.W); let Cz = matrix_vector_product(&C, &fw3.W); assert_eq!( hadamard_product(Az, Bz), vec_add(&vector_elem_product(&Cz, &phi3.u), &fw3.E) ); // check that folded commitments from folded instance (phi) are equal to folding the // use folded rE, rW to commit fw3 let phi3_expected = fw3.commit(&pedersen_params); assert_eq!(phi3_expected.cmE.0, phi3.cmE.0); assert_eq!(phi3_expected.cmW.0, phi3.cmW.0); // NIFS.Verify: assert!(NIFS::::verify(r, &phi1, &phi2, &phi3, &cmT)); // init Prover's transcript let mut transcript_p = Transcript::::new(&poseidon_config); // init Verifier's transcript let mut transcript_v = Transcript::::new(&poseidon_config); // check openings of phi3.cmE, phi3.cmW and cmT let (cmE_proof, cmW_proof, cmT_proof) = NIFS::::open_commitments( &mut transcript_p, &pedersen_params, &fw3, &phi3, T, rT, &cmT, ); let v = NIFS::::verify_commitments( &mut transcript_v, &pedersen_params, phi3, cmT, cmE_proof, cmW_proof, cmT_proof, ); assert!(v); } // fold i_1, i_2 instances into i_12, and then i_12, i_3 into i_123 #[test] fn test_two_fold() { let mut rng = ark_std::test_rng(); let pedersen_params = Pedersen::::new_params(&mut rng, 6); let poseidon_config = poseidon_test_config::(); let (r1cs, ws, _) = gen_test_values(3); let u1: Fr = Fr::one(); let u2: Fr = Fr::one(); let T_12 = NIFS::::comp_T(&r1cs, u1, u2, &ws[0], &ws[1]); let rT_12: Fr = Fr::rand(&mut rng); let cmT_12 = Pedersen::commit(&pedersen_params, &T_12, &rT_12); let r = Fr::rand(&mut rng); // this would come from the transcript let fw1 = FWit::::new(ws[0].clone(), T_12.len()); let fw2 = FWit::::new(ws[1].clone(), T_12.len()); // fold witness let fw_12 = NIFS::::fold_witness(r, &fw1, &fw2, &T_12, rT_12); // get committed instances let phi1 = fw1.commit(&pedersen_params); // wip let phi2 = fw2.commit(&pedersen_params); // fold instance let phi_12 = NIFS::::fold_instance(r, &phi1, &phi2, &cmT_12); // NIFS.Verify: assert!(NIFS::::verify( r, &phi1, &phi2, &phi_12, &cmT_12 )); //---- // 2nd fold let fw3 = FWit::::new(ws[2].clone(), r1cs.A.len()); // compute cross terms let T_123 = NIFS::::comp_T(&r1cs, phi_12.u, Fr::one(), &fw_12.W, &fw3.W); let rT_123: Fr = Fr::rand(&mut rng); let cmT_123 = Pedersen::commit(&pedersen_params, &T_123, &rT_123); // V sets rand challenge r let r = Fr::rand(&mut rng); // this would come from the transcript // fold witness let fw_123 = NIFS::::fold_witness(r, &fw_12, &fw3, &T_123, rT_123); // get committed instances // phi_12 is already known for Verifier from folding phi1, phi2 // rm: let phi_12 = fw_12.commit(&pedersen_params); // wip let phi3 = fw3.commit(&pedersen_params); // fold instance let phi_123 = NIFS::::fold_instance(r, &phi_12, &phi3, &cmT_123); // NIFS.Verify: assert!(NIFS::::verify( r, &phi_12, &phi3, &phi_123, &cmT_123 )); // naive check that the folded witness satisfies the relaxed r1cs let Az = matrix_vector_product(&r1cs.A, &fw_123.W); let Bz = matrix_vector_product(&r1cs.B, &fw_123.W); let Cz = matrix_vector_product(&r1cs.C, &fw_123.W); assert_eq!( hadamard_product(Az, Bz), vec_add(&vector_elem_product(&Cz, &phi_123.u), &fw_123.E) ); // check that folded commitments from folded instance (phi) are equal to folding the // use folded rE, rW to commit fw3 let phi_123_expected = fw_123.commit(&pedersen_params); assert_eq!(phi_123_expected.cmE.0, phi_123.cmE.0); assert_eq!(phi_123_expected.cmW.0, phi_123.cmW.0); // init Prover's transcript let mut transcript_p = Transcript::::new(&poseidon_config); // init Verifier's transcript let mut transcript_v = Transcript::::new(&poseidon_config); // check openings of phi_123.cmE, phi_123.cmW and cmT_123 let (cmE_proof, cmW_proof, cmT_proof) = NIFS::::open_commitments( &mut transcript_p, &pedersen_params, &fw_123, &phi_123, T_123, rT_123, &cmT_123, ); let v = NIFS::::verify_commitments( &mut transcript_v, &pedersen_params, phi_123, cmT_123, cmE_proof, cmW_proof, cmT_proof, ); assert!(v); } #[test] fn test_nifs_interface() { let mut rng = ark_std::test_rng(); let pedersen_params = Pedersen::::new_params(&mut rng, 100); // 100 is wip, will get it from actual vec let poseidon_config = poseidon_test_config::(); let (r1cs, ws, _) = gen_test_values(3); let (A, _, _) = (r1cs.A.clone(), r1cs.B.clone(), r1cs.C.clone()); let r = Fr::rand(&mut rng); // this would come from the transcript let fw1 = FWit::::new(ws[0].clone(), A.len()); let fw2 = FWit::::new(ws[1].clone(), A.len()); // init Prover's transcript let mut transcript_p = Transcript::::new(&poseidon_config); // NIFS.P let (_fw3, phi1, phi2, _T, cmT) = NIFS::::P(&mut transcript_p, &pedersen_params, r, &r1cs, fw1, fw2); // init Verifier's transcript // let mut transcript_v = Transcript::::new(&poseidon_config); // NIFS.V let phi3 = NIFS::::V(r, &phi1, &phi2, &cmT); assert!(NIFS::::verify(r, &phi1, &phi2, &phi3, &cmT)); } }