arnaucube
/
protogalaxy-poc
mirror of https://github.com/arnaucube/protogalaxy-poc.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
11 Commits
1 Branch
0 Tags
51 KiB
 
Branch: main
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'main'
${ noResults }
arnaucube c6d42a8356 rm unused pedersen.rs methods, some more polishing 9 months ago
.github/workflows add GHA 9 months ago
src rm unused pedersen.rs methods, some more polishing 9 months ago
.gitignore init repo 9 months ago
Cargo.toml rm unused pedersen.rs methods, some more polishing 9 months ago
LICENSE add eval_f & check_instance methods, add initial Folding prover structure 9 months ago
README.md rm unused pedersen.rs methods, some more polishing 9 months ago

README.md

protogalaxy-poc Test

Proof of concept implementation of ProtoGalaxy (https://eprint.iacr.org/2023/1106.pdf) using arkworks.

Experimental code, do not use in production.

Thanks to Liam Eagen and Ariel Gabizon for their kind explanations.

This code has been done in the context of the research on folding schemes in 0xPARC.

protogalaxy img from Wikipedia

(img: protogalaxies colliding, from Wikipedia)

Details

Implementation of ProtoGalaxy's scheme described in section 4 of the paper.

Current version implements the folding on prover & verifier and it works for k-to-1 instances and with multiple iterations, but it is not optimized. Next steps in terms of implementation include: F(X) O(n) construction following Claim 4.4, compute K(X) in O(kd log(kd)M + ndkC) as described in Claim 4.5, add tests folding in multiple iterations and also in a tree approach, add the decider and integrate with some existing R1CS tooling for the R1CS & witness generation.

Usage

Example of folding k+1 instances:

// assume we have:
// an R1CS instance 'r1cs'
// a valid witness 'w' from our running instance
// k valid 'witnesses' to be fold

// compute the committed instance for our running witness
let phi = Pedersen::<G1Projective>::commit(&pedersen_params, &witness.w, &witness.r_w);
let instance = CommittedInstance::<G1Projective> {
    phi,
    betas: betas.clone(),
    e: Fr::zero(),
};

// compute the k committed instances to be fold
let mut instances: Vec<CommittedInstance<G1Projective>> = Vec::new();
for i in 0..k {
    let phi_i =
	Pedersen::<G1Projective>::commit(&pedersen_params, &witnesses[i].w, &witnesses[i].r_w);
    let instance_i = CommittedInstance::<G1Projective> {
	phi: phi_i,
	betas: betas.clone(),
	e: Fr::zero(),
    };
    instances.push(instance_i);
}

// set the initial random betas
let beta = Fr::rand(&mut rng);
let betas = powers_of_beta(beta, t);

// Prover folds the instances and witnesses
let (F_coeffs, K_coeffs, folded_instance, folded_witness) = Folding::<G1Projective>::prover(
    &mut transcript_p,
    &r1cs,
    // running instance
    instance.clone(),
    witness,
    // incomming instances
    instances.clone(),
    witnesses,
);

// verifier folds the instances
let folded_instance_v = Folding::<G1Projective>::verifier(
    &mut transcript_v,
    &r1cs,
    instance, // running instance
    instances, // incomming instances
    F_coeffs,
    K_coeffs,
);

// check that the folded instance satisfies the relation
assert!(check_instance(&r2cs, folded_instance, folded_witness));

// now, the folded instance & witness can be folded again with k other instances.

(see the actual code for more details)