From b25037e34c7200d034eeea09b136bf68de576361 Mon Sep 17 00:00:00 2001 From: arnaucube Date: Fri, 1 Mar 2024 09:52:07 +0100 Subject: [PATCH] Add IPA commitment scheme and the respective circuit verifier gadget (#72) * Add IPA commitment native implementation * Add IPA Gadget verifier * polish Pedersen & IPA, add blind bool param to IPA * Optimize IPA gadget constraints (and native): - optimize computation from linear to log time - optimize s computation from k*2^k to k*(2^k)/2 * add small optimization: delegate u_i^-1 to prover and just check u_i*u_i^-1==1 in verifier circuit * IPA polish and document * Add 'BLIND' parameter to CommitmentProver trait (and to Pedersen and KZG impls). Fit IPA into CommitmentProver trait. * rename 'BLIND' to 'H' (hiding) in commitment * IPA: rm u_invs from Proof and compute them incircuit * Update IPA's build_s & gadget to use Halo2 approach following @han0110 's suggestion. This reduced further the amount of constraints needed. - for k=4: -9k constraints (-7%) - for k=8: -473k constr (-31%) - for k=9: -1123k constr (-35%) - for k=10: -2578k constr (-39%) And now IPA verification (without amortizing) is very close to Pedersen verification (in-circuits). * rm dbg!(cs.num_constraints()) from multiple tests * IPA::prove remove intermediate v_lo,v_hi vectors, add doc to build_s_gadget * move powers_of into utils/mod.rs, update iters to cfg_iter --- folding-schemes-solidity/src/verifiers/mod.rs | 2 +- folding-schemes/src/commitment/ipa.rs | 681 ++++++++++++++++++ folding-schemes/src/commitment/kzg.rs | 17 +- folding-schemes/src/commitment/mod.rs | 18 +- folding-schemes/src/commitment/pedersen.rs | 80 +- folding-schemes/src/folding/hypernova/cccs.rs | 2 +- .../src/folding/hypernova/circuit.rs | 6 +- .../src/folding/hypernova/lcccs.rs | 6 +- .../src/folding/hypernova/nimfs.rs | 8 +- .../src/folding/hypernova/utils.rs | 4 +- folding-schemes/src/folding/nova/circuits.rs | 1 - folding-schemes/src/folding/nova/cyclefold.rs | 2 - .../src/folding/nova/decider_eth_circuit.rs | 30 +- folding-schemes/src/folding/nova/nifs.rs | 6 +- .../src/folding/protogalaxy/folding.rs | 3 +- folding-schemes/src/lib.rs | 4 + folding-schemes/src/utils/bit.rs | 9 - folding-schemes/src/utils/mod.rs | 13 +- 18 files changed, 796 insertions(+), 96 deletions(-) create mode 100644 folding-schemes/src/commitment/ipa.rs delete mode 100644 folding-schemes/src/utils/bit.rs diff --git a/folding-schemes-solidity/src/verifiers/mod.rs b/folding-schemes-solidity/src/verifiers/mod.rs index 4d59f0b..d6246b5 100644 --- a/folding-schemes-solidity/src/verifiers/mod.rs +++ b/folding-schemes-solidity/src/verifiers/mod.rs @@ -243,7 +243,7 @@ mod tests { let v: Vec = std::iter::repeat_with(|| Fr::rand(rng)).take(n).collect(); let cm = KZGProver::::commit(&pk, &v, &Fr::zero()).unwrap(); let (eval, proof) = - KZGProver::::prove(&pk, transcript_p, &cm, &v, &Fr::zero()).unwrap(); + KZGProver::::prove(&pk, transcript_p, &cm, &v, &Fr::zero(), None).unwrap(); let template = KZG10Verifier::from( &vk, &pk.powers_of_g[..5], diff --git a/folding-schemes/src/commitment/ipa.rs b/folding-schemes/src/commitment/ipa.rs new file mode 100644 index 0000000..6d1ba28 --- /dev/null +++ b/folding-schemes/src/commitment/ipa.rs @@ -0,0 +1,681 @@ +/// IPA implements the modified Inner Product Argument described in +/// [Halo](https://eprint.iacr.org/2019/1021.pdf). The variable names used follow the paper +/// notation in order to make it more readable. +/// +/// The implementation does the following optimizations in order to reduce the amount of +/// constraints in the circuit: +/// i. computation is done in log time following a modification of the equation 3 in section +/// 3.2 from the paper. +/// ii. s computation is done in 2^{k+1}-2 instead of k*2^k. +use ark_ec::{AffineRepr, CurveGroup}; +use ark_ff::{Field, PrimeField}; +use ark_r1cs_std::{ + alloc::{AllocVar, AllocationMode}, + boolean::Boolean, + fields::{nonnative::NonNativeFieldVar, FieldVar}, + groups::GroupOpsBounds, + prelude::CurveVar, + ToBitsGadget, +}; +use ark_relations::r1cs::{Namespace, SynthesisError}; +use ark_std::{ + cfg_iter, + rand::{Rng, RngCore}, + UniformRand, Zero, +}; +use core::{borrow::Borrow, marker::PhantomData}; +use rayon::iter::{IndexedParallelIterator, IntoParallelRefIterator, ParallelIterator}; + +use super::{pedersen::Params as PedersenParams, CommitmentProver}; +use crate::transcript::Transcript; +use crate::utils::{ + powers_of, + vec::{vec_add, vec_scalar_mul}, +}; +use crate::Error; + +/// IPA implements the Inner Product Argument protocol. The `H` parameter indicates if to use the +/// commitment in hiding mode or not. +#[derive(Debug, Clone, Eq, PartialEq)] +pub struct IPA { + _c: PhantomData, +} + +#[derive(Debug, Clone, Eq, PartialEq)] +pub struct Proof { + a: C::ScalarField, + l: Vec, + r: Vec, + L: Vec, + R: Vec, +} + +impl IPA { + pub fn new_params(rng: &mut R, max: usize) -> PedersenParams { + let generators: Vec = std::iter::repeat_with(|| C::Affine::rand(rng)) + .take(max.next_power_of_two()) + .collect(); + PedersenParams:: { + h: C::rand(rng), + generators, + } + } +} + +// Implement the CommitmentProver trait for IPA +impl CommitmentProver for IPA { + type Params = PedersenParams; + type Proof = Proof; + fn commit( + params: &PedersenParams, + a: &[C::ScalarField], + r: &C::ScalarField, // blinding factor + ) -> Result { + if params.generators.len() < a.len() { + return Err(Error::PedersenParamsLen(params.generators.len(), a.len())); + } + // h⋅r + + // use msm_unchecked because we already ensured at the if that lengths match + if !H { + return Ok(C::msm_unchecked(¶ms.generators[..a.len()], a)); + } + Ok(params.h.mul(r) + C::msm_unchecked(¶ms.generators[..a.len()], a)) + } + + fn prove( + params: &Self::Params, + transcript: &mut impl Transcript, + P: &C, // commitment + a: &[C::ScalarField], + x: &C::ScalarField, + rng: Option<&mut dyn RngCore>, + ) -> Result { + if !a.len().is_power_of_two() { + return Err(Error::NotPowerOfTwo("a".to_string(), a.len())); + } + let d = a.len(); + let k = (f64::from(d as u32).log2()) as usize; + + if params.generators.len() < a.len() { + return Err(Error::PedersenParamsLen(params.generators.len(), a.len())); + } + // blinding factors + let l: Vec; + let r: Vec; + if H { + let rng = rng.ok_or(Error::MissingRandomness)?; + l = std::iter::repeat_with(|| C::ScalarField::rand(rng)) + .take(k) + .collect(); + r = std::iter::repeat_with(|| C::ScalarField::rand(rng)) + .take(k) + .collect(); + } else { + l = vec![]; + r = vec![]; + } + + transcript.absorb_point(P)?; + let s = transcript.get_challenge(); + let U = C::generator().mul(s); + + let mut a = a.to_owned(); + let mut b = powers_of(*x, d); + let mut G = params.generators.clone(); + + let mut L: Vec = vec![C::zero(); k]; + let mut R: Vec = vec![C::zero(); k]; + + // u challenges + let mut u: Vec = vec![C::ScalarField::zero(); k]; + for j in (0..k).rev() { + let m = a.len() / 2; + + if H { + L[j] = C::msm_unchecked(&G[m..], &a[..m]) + + params.h.mul(l[j]) + + U.mul(inner_prod(&a[..m], &b[m..])?); + R[j] = C::msm_unchecked(&G[..m], &a[m..]) + + params.h.mul(r[j]) + + U.mul(inner_prod(&a[m..], &b[..m])?); + } else { + L[j] = C::msm_unchecked(&G[m..], &a[..m]) + U.mul(inner_prod(&a[..m], &b[m..])?); + R[j] = C::msm_unchecked(&G[..m], &a[m..]) + U.mul(inner_prod(&a[m..], &b[..m])?); + } + // get challenge for the j-th round + transcript.absorb_point(&L[j])?; + transcript.absorb_point(&R[j])?; + u[j] = transcript.get_challenge(); + + let uj = u[j]; + let uj_inv = u[j] + .inverse() + .ok_or(Error::Other("error on computing inverse".to_string()))?; + + // a_hi * uj^-1 + a_lo * uj + a = vec_add( + &vec_scalar_mul(&a[..m], &uj), + &vec_scalar_mul(&a[m..], &uj_inv), + )?; + // b_lo * uj^-1 + b_hi * uj + b = vec_add( + &vec_scalar_mul(&b[..m], &uj_inv), + &vec_scalar_mul(&b[m..], &uj), + )?; + // G_lo * uj^-1 + G_hi * uj + G = cfg_iter!(G[..m]) + .map(|e| e.into_group().mul(uj_inv)) + .zip(cfg_iter!(G[m..]).map(|e| e.into_group().mul(uj))) + .map(|(a, b)| (a + b).into_affine()) + .collect::>(); + } + + if a.len() != 1 { + return Err(Error::NotExpectedLength(a.len(), 1)); + } + if b.len() != 1 { + return Err(Error::NotExpectedLength(b.len(), 1)); + } + if G.len() != 1 { + return Err(Error::NotExpectedLength(G.len(), 1)); + } + + Ok(Self::Proof { + a: a[0], + l: l.clone(), + r: r.clone(), + L, + R, + }) + } +} + +impl IPA { + #[allow(clippy::too_many_arguments)] + pub fn verify( + params: &PedersenParams, + transcript: &mut impl Transcript, + x: C::ScalarField, // evaluation point + v: C::ScalarField, // value at evaluation point + P: C, // commitment + p: Proof, + r: C::ScalarField, // blinding factor + k: usize, // k = log2(d), where d is the degree of the committed polynomial + ) -> Result { + if !H && (!p.l.is_empty() || !p.r.is_empty()) { + return Err(Error::CommitmentVerificationFail); + } + if H && (p.l.len() != k || p.r.len() != k) { + return Err(Error::CommitmentVerificationFail); + } + if p.L.len() != k || p.R.len() != k { + return Err(Error::CommitmentVerificationFail); + } + + // absorbs & get challenges + transcript.absorb_point(&P)?; + let s = transcript.get_challenge(); + let U = C::generator().mul(s); + let mut u: Vec = vec![C::ScalarField::zero(); k]; + for i in (0..k).rev() { + transcript.absorb_point(&p.L[i])?; + transcript.absorb_point(&p.R[i])?; + u[i] = transcript.get_challenge(); + } + + let P = P + U.mul(v); + + let mut q_0 = P; + let mut r = r; + + // compute u[i]^-1 once + let mut u_invs = vec![C::ScalarField::zero(); u.len()]; + for (j, u_j) in u.iter().enumerate() { + u_invs[j] = u_j + .inverse() + .ok_or(Error::Other("error on computing inverse".to_string()))?; + } + + // compute b & G from s + let s = build_s(&u, &u_invs, k)?; + // b = = + let b = s_b_inner(&u, &x)?; + let d: usize = 2_u64.pow(k as u32) as usize; + if params.generators.len() < d { + return Err(Error::PedersenParamsLen(params.generators.len(), d)); + } + let G = C::msm_unchecked(¶ms.generators, &s); + + for (j, u_j) in u.iter().enumerate() { + let uj2 = u_j.square(); + let uj_inv2 = u_invs[j].square(); + + q_0 = q_0 + p.L[j].mul(uj2) + p.R[j].mul(uj_inv2); + if H { + r = r + p.l[j] * uj2 + p.r[j] * uj_inv2; + } + } + + let q_1 = if H { + G.mul(p.a) + params.h.mul(r) + U.mul(p.a * b) + } else { + G.mul(p.a) + U.mul(p.a * b) + }; + + Ok(q_0 == q_1) + } +} + +/// Computes s such that +/// s = ( +/// u₁⁻¹ u₂⁻¹ … uₖ⁻¹, +/// u₁ u₂⁻¹ … uₖ⁻¹, +/// u₁⁻¹ u₂ … uₖ⁻¹, +/// u₁ u₂ … uₖ⁻¹, +/// ⋮ ⋮ ⋮ +/// u₁ u₂ … uₖ +/// ) +/// Uses Halo2 approach computing $g(X) = \prod\limits_{i=0}^{k-1} (1 + u_{k - 1 - i} X^{2^i})$, +/// taking 2^{k+1}-2. +/// src: https://github.com/zcash/halo2/blob/81729eca91ba4755e247f49c3a72a4232864ec9e/halo2_proofs/src/poly/commitment/verifier.rs#L156 +fn build_s(u: &[F], u_invs: &[F], k: usize) -> Result, Error> { + let d: usize = 2_u64.pow(k as u32) as usize; + let mut s: Vec = vec![F::one(); d]; + for (len, (u_j, u_j_inv)) in u + .iter() + .zip(u_invs) + .enumerate() + .map(|(i, u_j)| (1 << i, u_j)) + { + let (left, right) = s.split_at_mut(len); + let right = &mut right[0..len]; + right.copy_from_slice(left); + for s in left { + *s *= u_j_inv; + } + for s in right { + *s *= u_j; + } + } + Ok(s) +} + +/// Computes (in-circuit) s such that +/// s = ( +/// u₁⁻¹ u₂⁻¹ … uₖ⁻¹, +/// u₁ u₂⁻¹ … uₖ⁻¹, +/// u₁⁻¹ u₂ … uₖ⁻¹, +/// u₁ u₂ … uₖ⁻¹, +/// ⋮ ⋮ ⋮ +/// u₁ u₂ … uₖ +/// ) +/// Uses Halo2 approach computing $g(X) = \prod\limits_{i=0}^{k-1} (1 + u_{k - 1 - i} X^{2^i})$, +/// taking 2^{k+1}-2. +/// src: https://github.com/zcash/halo2/blob/81729eca91ba4755e247f49c3a72a4232864ec9e/halo2_proofs/src/poly/commitment/verifier.rs#L156 +fn build_s_gadget( + u: &[NonNativeFieldVar], + u_invs: &[NonNativeFieldVar], + k: usize, +) -> Result>, SynthesisError> { + let d: usize = 2_u64.pow(k as u32) as usize; + let mut s: Vec> = vec![NonNativeFieldVar::one(); d]; + for (len, (u_j, u_j_inv)) in u + .iter() + .zip(u_invs) + .enumerate() + .map(|(i, u_j)| (1 << i, u_j)) + { + let (left, right) = s.split_at_mut(len); + let right = &mut right[0..len]; + right.clone_from_slice(left); + for s in left { + *s *= u_j_inv; + } + for s in right { + *s *= u_j; + } + } + Ok(s) +} + +fn inner_prod(a: &[F], b: &[F]) -> Result { + if a.len() != b.len() { + return Err(Error::NotSameLength( + "a".to_string(), + a.len(), + "b".to_string(), + b.len(), + )); + } + let c = cfg_iter!(a) + .zip(cfg_iter!(b)) + .map(|(a_i, b_i)| *a_i * b_i) + .sum(); + Ok(c) +} + +// g(x, u_1, u_2, ..., u_k) = , naively takes linear, but can compute in log time through +// g(x, u_1, u_2, ..., u_k) = \Prod u_i x^{2^i} + u_i^-1 +fn s_b_inner(u: &[F], x: &F) -> Result { + let mut c: F = F::one(); + let mut x_2_i = *x; // x_2_i is x^{2^i}, starting from x^{2^0}=x + for u_i in u.iter() { + c *= (*u_i * x_2_i) + + u_i + .inverse() + .ok_or(Error::Other("error on computing inverse".to_string()))?; + x_2_i *= x_2_i; + } + Ok(c) +} + +// g(x, u_1, u_2, ..., u_k) = , naively takes linear, but can compute in log time through +// g(x, u_1, u_2, ..., u_k) = \Prod u_i x^{2^i} + u_i^-1 +fn s_b_inner_gadget( + u: &[NonNativeFieldVar], + x: &NonNativeFieldVar, +) -> Result, SynthesisError> { + let mut c: NonNativeFieldVar = NonNativeFieldVar::::one(); + let mut x_2_i = x.clone(); // x_2_i is x^{2^i}, starting from x^{2^0}=x + for u_i in u.iter() { + c *= u_i.clone() * x_2_i.clone() + u_i.inverse()?; + x_2_i *= x_2_i.clone(); + } + Ok(c) +} + +pub type CF = <::BaseField as Field>::BasePrimeField; + +pub struct ProofVar>> { + a: NonNativeFieldVar>, + l: Vec>>, + r: Vec>>, + L: Vec, + R: Vec, +} +impl AllocVar, CF> for ProofVar +where + C: CurveGroup, + GC: CurveVar>, + ::BaseField: PrimeField, +{ + fn new_variable>>( + cs: impl Into>>, + f: impl FnOnce() -> Result, + mode: AllocationMode, + ) -> Result { + f().and_then(|val| { + let cs = cs.into(); + + let a = NonNativeFieldVar::>::new_variable( + cs.clone(), + || Ok(val.borrow().a), + mode, + )?; + let l: Vec>> = + Vec::new_variable(cs.clone(), || Ok(val.borrow().l.clone()), mode)?; + let r: Vec>> = + Vec::new_variable(cs.clone(), || Ok(val.borrow().r.clone()), mode)?; + let L: Vec = Vec::new_variable(cs.clone(), || Ok(val.borrow().L.clone()), mode)?; + let R: Vec = Vec::new_variable(cs.clone(), || Ok(val.borrow().R.clone()), mode)?; + + Ok(Self { a, l, r, L, R }) + }) + } +} + +/// IPAGadget implements the circuit that verifies an IPA Proof. The `H` parameter indicates if to +/// use the commitment in hiding mode or not, reducing a bit the number of constraints needed in +/// the later case. +pub struct IPAGadget +where + C: CurveGroup, + GC: CurveVar>, +{ + _cf: PhantomData>, + _c: PhantomData, + _gc: PhantomData, +} + +impl IPAGadget +where + C: CurveGroup, + GC: CurveVar>, + + ::BaseField: ark_ff::PrimeField, + for<'a> &'a GC: GroupOpsBounds<'a, C, GC>, +{ + /// Verify the IPA opening proof, K=log2(d), where d is the degree of the committed polynomial, + /// and H indicates if the commitment is in hiding mode and thus uses blinding factors, if not, + /// there are some constraints saved. + #[allow(clippy::too_many_arguments)] + pub fn verify( + g: &Vec, // params.generators + h: &GC, // params.h + x: &NonNativeFieldVar>, // evaluation point + v: &NonNativeFieldVar>, // value at evaluation point + P: &GC, // commitment + p: &ProofVar, + r: &NonNativeFieldVar>, // blinding factor + u: &[NonNativeFieldVar>; K], // challenges + U: &GC, // challenge + ) -> Result>, SynthesisError> { + if p.L.len() != K || p.R.len() != K { + return Err(SynthesisError::Unsatisfiable); + } + + let P_ = P + U.scalar_mul_le(v.to_bits_le()?.iter())?; + let mut q_0 = P_; + let mut r = r.clone(); + + // compute u[i]^-1 once + let mut u_invs = vec![NonNativeFieldVar::>::zero(); u.len()]; + for (j, u_j) in u.iter().enumerate() { + u_invs[j] = u_j.inverse()?; + } + + // compute b & G from s + // let d: usize = 2_u64.pow(K as u32) as usize; + let s = build_s_gadget(u, &u_invs, K)?; + // b = = + let b = s_b_inner_gadget(u, x)?; + // ensure that generators.len() === s.len(): + if g.len() < K { + return Err(SynthesisError::Unsatisfiable); + } + + // msm: G= + let mut G = GC::zero(); + for (i, s_i) in s.iter().enumerate() { + G += g[i].scalar_mul_le(s_i.to_bits_le()?.iter())?; + } + + for (j, u_j) in u.iter().enumerate() { + let uj2 = u_j.square()?; + let uj_inv2 = u_invs[j].square()?; // cheaper square than inversing the uj2 + + q_0 = q_0 + + p.L[j].scalar_mul_le(uj2.to_bits_le()?.iter())? + + p.R[j].scalar_mul_le(uj_inv2.to_bits_le()?.iter())?; + if H { + r = r + &p.l[j] * &uj2 + &p.r[j] * &uj_inv2; + } + } + + let q_1 = if H { + G.scalar_mul_le(p.a.to_bits_le()?.iter())? + + h.scalar_mul_le(r.to_bits_le()?.iter())? + + U.scalar_mul_le((p.a.clone() * b).to_bits_le()?.iter())? + } else { + G.scalar_mul_le(p.a.to_bits_le()?.iter())? + + U.scalar_mul_le((p.a.clone() * b).to_bits_le()?.iter())? + }; + // q_0 == q_1 + q_0.is_eq(&q_1) + } +} + +#[cfg(test)] +mod tests { + use ark_ec::Group; + use ark_pallas::{constraints::GVar, Fq, Fr, Projective}; + use ark_r1cs_std::{alloc::AllocVar, bits::boolean::Boolean, eq::EqGadget}; + use ark_relations::r1cs::ConstraintSystem; + use ark_std::UniformRand; + use std::ops::Mul; + + use super::*; + use crate::transcript::poseidon::{poseidon_test_config, PoseidonTranscript}; + + #[test] + fn test_ipa() { + test_ipa_opt::(); + test_ipa_opt::(); + } + fn test_ipa_opt() { + let mut rng = ark_std::test_rng(); + + const k: usize = 4; + const d: usize = 2_u64.pow(k as u32) as usize; + + // setup params + let params = IPA::::new_params(&mut rng, d); + + let poseidon_config = poseidon_test_config::(); + // init Prover's transcript + let mut transcript_p = PoseidonTranscript::::new(&poseidon_config); + // init Verifier's transcript + let mut transcript_v = PoseidonTranscript::::new(&poseidon_config); + + let a: Vec = std::iter::repeat_with(|| Fr::rand(&mut rng)) + .take(d) + .collect(); + let r_blind: Fr = Fr::rand(&mut rng); + let cm = IPA::::commit(¶ms, &a, &r_blind).unwrap(); + + // evaluation point + let x = Fr::rand(&mut rng); + + let proof = IPA::::prove( + ¶ms, + &mut transcript_p, + &cm, + &a, + &x, + Some(&mut rng), + ) + .unwrap(); + + let b = powers_of(x, d); + let v = inner_prod(&a, &b).unwrap(); + assert!(IPA::::verify( + ¶ms, + &mut transcript_v, + x, + v, + cm, + proof, + r_blind, + k, + ) + .unwrap()); + } + + #[test] + fn test_ipa_gadget() { + test_ipa_gadget_opt::(); + test_ipa_gadget_opt::(); + } + fn test_ipa_gadget_opt() { + let mut rng = ark_std::test_rng(); + + const k: usize = 4; + const d: usize = 2_u64.pow(k as u32) as usize; + + // setup params + let params = IPA::::new_params(&mut rng, d); + + let poseidon_config = poseidon_test_config::(); + // init Prover's transcript + let mut transcript_p = PoseidonTranscript::::new(&poseidon_config); + // init Verifier's transcript + let mut transcript_v = PoseidonTranscript::::new(&poseidon_config); + + let mut a: Vec = std::iter::repeat_with(|| Fr::rand(&mut rng)) + .take(d / 2) + .collect(); + a.extend(vec![Fr::zero(); d / 2]); + let r_blind: Fr = Fr::rand(&mut rng); + let cm = IPA::::commit(¶ms, &a, &r_blind).unwrap(); + + // evaluation point + let x = Fr::rand(&mut rng); + + let proof = IPA::::prove( + ¶ms, + &mut transcript_p, + &cm, + &a, + &x, + Some(&mut rng), + ) + .unwrap(); + + let b = powers_of(x, d); + let v = inner_prod(&a, &b).unwrap(); + assert!(IPA::::verify( + ¶ms, + &mut transcript_v, + x, + v, + cm, + proof.clone(), + r_blind, + k, + ) + .unwrap()); + + // circuit + let cs = ConstraintSystem::::new_ref(); + + let mut transcript_v = PoseidonTranscript::::new(&poseidon_config); + transcript_v.absorb_point(&cm).unwrap(); + let s = transcript_v.get_challenge(); + let U = Projective::generator().mul(s); + let mut u: Vec = vec![Fr::zero(); k]; + for i in (0..k).rev() { + transcript_v.absorb_point(&proof.L[i]).unwrap(); + transcript_v.absorb_point(&proof.R[i]).unwrap(); + u[i] = transcript_v.get_challenge(); + } + + // prepare inputs + let gVar = Vec::::new_constant(cs.clone(), params.generators).unwrap(); + let hVar = GVar::new_constant(cs.clone(), params.h).unwrap(); + let xVar = NonNativeFieldVar::::new_witness(cs.clone(), || Ok(x)).unwrap(); + let vVar = NonNativeFieldVar::::new_witness(cs.clone(), || Ok(v)).unwrap(); + let cmVar = GVar::new_witness(cs.clone(), || Ok(cm)).unwrap(); + let proofVar = ProofVar::::new_witness(cs.clone(), || Ok(proof)).unwrap(); + let r_blindVar = + NonNativeFieldVar::::new_witness(cs.clone(), || Ok(r_blind)).unwrap(); + let uVar_vec = Vec::>::new_witness(cs.clone(), || Ok(u)).unwrap(); + let uVar: [NonNativeFieldVar; k] = uVar_vec.try_into().unwrap(); + let UVar = GVar::new_witness(cs.clone(), || Ok(U)).unwrap(); + + let v = IPAGadget::::verify::( + // &mut transcriptVar, + &gVar, + &hVar, + &xVar, + &vVar, + &cmVar, + &proofVar, + &r_blindVar, + &uVar, + &UVar, + ) + .unwrap(); + v.enforce_equal(&Boolean::TRUE).unwrap(); + assert!(cs.is_satisfied().unwrap()); + } +} diff --git a/folding-schemes/src/commitment/kzg.rs b/folding-schemes/src/commitment/kzg.rs index fdb6601..79dad50 100644 --- a/folding-schemes/src/commitment/kzg.rs +++ b/folding-schemes/src/commitment/kzg.rs @@ -17,7 +17,7 @@ use ark_poly::{ DenseUVPolynomial, EvaluationDomain, Evaluations, GeneralEvaluationDomain, Polynomial, }; use ark_poly_commit::kzg10::{VerifierKey, KZG10}; -use ark_std::rand::Rng; +use ark_std::rand::{Rng, RngCore}; use ark_std::{borrow::Cow, fmt::Debug}; use ark_std::{One, Zero}; use core::marker::PhantomData; @@ -66,11 +66,11 @@ where /// KZGProver implements the CommitmentProver trait for the KZG commitment scheme. #[derive(Debug, Clone, Default, Eq, PartialEq)] -pub struct KZGProver<'a, C: CurveGroup> { +pub struct KZGProver<'a, C: CurveGroup, const H: bool = false> { _a: PhantomData<&'a ()>, _c: PhantomData, } -impl<'a, C> CommitmentProver for KZGProver<'a, C> +impl<'a, C, const H: bool> CommitmentProver for KZGProver<'a, C, H> where C: CurveGroup, { @@ -87,8 +87,8 @@ where v: &[C::ScalarField], _blind: &C::ScalarField, ) -> Result { - if !_blind.is_zero() { - return Err(Error::NotSupportedYet("blinding factors".to_string())); + if !_blind.is_zero() || H { + return Err(Error::NotSupportedYet("hiding".to_string())); } let polynomial = poly_from_vec(v.to_vec())?; @@ -113,9 +113,10 @@ where cm: &C, v: &[C::ScalarField], _blind: &C::ScalarField, + _rng: Option<&mut dyn RngCore>, ) -> Result { - if !_blind.is_zero() { - return Err(Error::NotSupportedYet("blinding factors".to_string())); + if !_blind.is_zero() || H { + return Err(Error::NotSupportedYet("hiding".to_string())); } let polynomial = poly_from_vec(v.to_vec())?; @@ -213,7 +214,7 @@ mod tests { let cm = KZGProver::::commit(&pk, &v, &Fr::zero()).unwrap(); let (eval, proof) = - KZGProver::::prove(&pk, transcript_p, &cm, &v, &Fr::zero()).unwrap(); + KZGProver::::prove(&pk, transcript_p, &cm, &v, &Fr::zero(), None).unwrap(); // verify the proof: // get evaluation challenge diff --git a/folding-schemes/src/commitment/mod.rs b/folding-schemes/src/commitment/mod.rs index fdba674..8623189 100644 --- a/folding-schemes/src/commitment/mod.rs +++ b/folding-schemes/src/commitment/mod.rs @@ -1,14 +1,17 @@ use ark_ec::CurveGroup; use ark_std::fmt::Debug; +use ark_std::rand::RngCore; use crate::transcript::Transcript; use crate::Error; +pub mod ipa; pub mod kzg; pub mod pedersen; -/// CommitmentProver defines the vector commitment scheme prover trait. -pub trait CommitmentProver: Clone + Debug { +/// CommitmentProver defines the vector commitment scheme prover trait. Where `H` indicates if to +/// use the commitment in hiding mode or not. +pub trait CommitmentProver: Clone + Debug { type Params: Clone + Debug; type Proof: Clone + Debug; @@ -23,6 +26,7 @@ pub trait CommitmentProver: Clone + Debug { cm: &C, v: &[C::ScalarField], blind: &C::ScalarField, + rng: Option<&mut dyn RngCore>, ) -> Result; } @@ -65,7 +69,15 @@ mod tests { let v_3: Vec = v_1.iter().zip(v_2).map(|(a, b)| *a + (r * b)).collect(); let transcript = &mut PoseidonTranscript::::new(poseidon_config); - let proof = CP::prove(params, transcript, &cm_3, &v_3, &C::ScalarField::zero()).unwrap(); + let proof = CP::prove( + params, + transcript, + &cm_3, + &v_3, + &C::ScalarField::zero(), + None, + ) + .unwrap(); Ok((cm_3, proof)) } diff --git a/folding-schemes/src/commitment/pedersen.rs b/folding-schemes/src/commitment/pedersen.rs index 1feee43..8542975 100644 --- a/folding-schemes/src/commitment/pedersen.rs +++ b/folding-schemes/src/commitment/pedersen.rs @@ -1,8 +1,12 @@ use ark_ec::CurveGroup; use ark_ff::Field; -use ark_r1cs_std::{boolean::Boolean, groups::GroupOpsBounds, prelude::CurveVar}; +use ark_r1cs_std::{groups::GroupOpsBounds, prelude::CurveVar}; use ark_relations::r1cs::SynthesisError; -use ark_std::{rand::Rng, UniformRand}; +use ark_std::Zero; +use ark_std::{ + rand::{Rng, RngCore}, + UniformRand, +}; use core::marker::PhantomData; use super::CommitmentProver; @@ -24,25 +28,24 @@ pub struct Params { } #[derive(Debug, Clone, Eq, PartialEq)] -pub struct Pedersen { +pub struct Pedersen { _c: PhantomData, } -impl Pedersen { +impl Pedersen { pub fn new_params(rng: &mut R, max: usize) -> Params { let generators: Vec = std::iter::repeat_with(|| C::Affine::rand(rng)) .take(max.next_power_of_two()) .collect(); - let params: Params = Params:: { + Params:: { h: C::rand(rng), generators, - }; - params + } } } // implement the CommitmentProver trait for Pedersen -impl CommitmentProver for Pedersen { +impl CommitmentProver for Pedersen { type Params = Params; type Proof = Proof; fn commit( @@ -55,6 +58,9 @@ impl CommitmentProver for Pedersen { } // h⋅r + // use msm_unchecked because we already ensured at the if that lengths match + if !H { + return Ok(C::msm_unchecked(¶ms.generators[..v.len()], v)); + } Ok(params.h.mul(r) + C::msm_unchecked(¶ms.generators[..v.len()], v)) } @@ -64,6 +70,7 @@ impl CommitmentProver for Pedersen { cm: &C, v: &[C::ScalarField], r: &C::ScalarField, // blinding factor + _rng: Option<&mut dyn RngCore>, ) -> Result { if params.generators.len() < v.len() { return Err(Error::PedersenParamsLen(params.generators.len(), v.len())); @@ -75,7 +82,10 @@ impl CommitmentProver for Pedersen { // R = h⋅r_1 + // use msm_unchecked because we already ensured at the if that lengths match - let R: C = params.h.mul(r1) + C::msm_unchecked(¶ms.generators[..d.len()], &d); + let mut R: C = C::msm_unchecked(¶ms.generators[..d.len()], &d); + if H { + R += params.h.mul(r1); + } transcript.absorb_point(&R)?; let e = transcript.get_challenge(); @@ -83,13 +93,16 @@ impl CommitmentProver for Pedersen { // u = d + v⋅e let u = vec_add(&vec_scalar_mul(v, &e), &d)?; // r_u = e⋅r + r_1 - let r_u = e * r + r1; + let mut r_u = C::ScalarField::zero(); + if H { + r_u = e * r + r1; + } Ok(Self::Proof { R, u, r_u }) } } -impl Pedersen { +impl Pedersen { pub fn verify( params: &Params, transcript: &mut impl Transcript, @@ -112,8 +125,10 @@ impl Pedersen { // check that: R + cm⋅e == h⋅r_u + let lhs = proof.R + cm.mul(e); // use msm_unchecked because we already ensured at the if that lengths match - let rhs = params.h.mul(proof.r_u) - + C::msm_unchecked(¶ms.generators[..proof.u.len()], &proof.u); + let mut rhs = C::msm_unchecked(¶ms.generators[..proof.u.len()], &proof.u); + if H { + rhs += params.h.mul(proof.r_u); + } if lhs != rhs { return Err(Error::CommitmentVerificationFail); } @@ -123,7 +138,7 @@ impl Pedersen { pub type CF = <::BaseField as Field>::BasePrimeField; -pub struct PedersenGadget +pub struct PedersenGadget where C: CurveGroup, GC: CurveVar>, @@ -133,7 +148,8 @@ where _gc: PhantomData, } -impl PedersenGadget +use ark_r1cs_std::{fields::nonnative::NonNativeFieldVar, ToBitsGadget}; +impl PedersenGadget where C: CurveGroup, GC: CurveVar>, @@ -144,13 +160,15 @@ where pub fn commit( h: GC, g: Vec, - v: Vec>>>, - r: Vec>>, + v: Vec>>, + r: NonNativeFieldVar>, ) -> Result { let mut res = GC::zero(); - res += h.scalar_mul_le(r.iter())?; + if H { + res += h.scalar_mul_le(r.to_bits_le()?.iter())?; + } for (i, v_i) in v.iter().enumerate() { - res += g[i].scalar_mul_le(v_i.iter())?; + res += g[i].scalar_mul_le(v_i.to_bits_le()?.iter())?; } Ok(res) } @@ -158,9 +176,8 @@ where #[cfg(test)] mod tests { - use ark_ff::{BigInteger, PrimeField}; use ark_pallas::{constraints::GVar, Fq, Fr, Projective}; - use ark_r1cs_std::{alloc::AllocVar, bits::boolean::Boolean, eq::EqGadget}; + use ark_r1cs_std::{alloc::AllocVar, eq::EqGadget}; use ark_relations::r1cs::ConstraintSystem; use ark_std::UniformRand; @@ -186,15 +203,20 @@ mod tests { .collect(); let r: Fr = Fr::rand(&mut rng); let cm = Pedersen::::commit(¶ms, &v, &r).unwrap(); - let proof = Pedersen::::prove(¶ms, &mut transcript_p, &cm, &v, &r).unwrap(); + let proof = + Pedersen::::prove(¶ms, &mut transcript_p, &cm, &v, &r, None).unwrap(); Pedersen::::verify(¶ms, &mut transcript_v, cm, proof).unwrap(); } #[test] fn test_pedersen_circuit() { + test_pedersen_circuit_opt::(); + test_pedersen_circuit_opt::(); + } + fn test_pedersen_circuit_opt() { let mut rng = ark_std::test_rng(); - let n: usize = 10; + let n: usize = 16; // setup params let params = Pedersen::::new_params(&mut rng, n); @@ -207,17 +229,9 @@ mod tests { // circuit let cs = ConstraintSystem::::new_ref(); - let v_bits: Vec> = v.iter().map(|val| val.into_bigint().to_bits_le()).collect(); - let r_bits: Vec = r.into_bigint().to_bits_le(); - // prepare inputs - let vVar: Vec>> = v_bits - .iter() - .map(|val_bits| { - Vec::>::new_witness(cs.clone(), || Ok(val_bits.clone())).unwrap() - }) - .collect(); - let rVar = Vec::>::new_witness(cs.clone(), || Ok(r_bits)).unwrap(); + let vVar = Vec::>::new_witness(cs.clone(), || Ok(v)).unwrap(); + let rVar = NonNativeFieldVar::::new_witness(cs.clone(), || Ok(r)).unwrap(); let gVar = Vec::::new_witness(cs.clone(), || Ok(params.generators)).unwrap(); let hVar = GVar::new_witness(cs.clone(), || Ok(params.h)).unwrap(); let expected_cmVar = GVar::new_witness(cs.clone(), || Ok(cm)).unwrap(); diff --git a/folding-schemes/src/folding/hypernova/cccs.rs b/folding-schemes/src/folding/hypernova/cccs.rs index 48c0701..77d9354 100644 --- a/folding-schemes/src/folding/hypernova/cccs.rs +++ b/folding-schemes/src/folding/hypernova/cccs.rs @@ -112,7 +112,7 @@ impl CCCS { ) -> Result<(), Error> { // check that C is the commitment of w. Notice that this is not verifying a Pedersen // opening, but checking that the commitment comes from committing to the witness. - if self.C != Pedersen::commit(pedersen_params, &w.w, &w.r_w)? { + if self.C != Pedersen::::commit(pedersen_params, &w.w, &w.r_w)? { return Err(Error::NotSatisfied); } diff --git a/folding-schemes/src/folding/hypernova/circuit.rs b/folding-schemes/src/folding/hypernova/circuit.rs index b769355..b74f783 100644 --- a/folding-schemes/src/folding/hypernova/circuit.rs +++ b/folding-schemes/src/folding/hypernova/circuit.rs @@ -180,7 +180,7 @@ mod tests { let r_x_prime: Vec = (0..ccs.s).map(|_| Fr::rand(&mut rng)).collect(); // Initialize a multifolding object - let pedersen_params = Pedersen::new_params(&mut rng, ccs.n - ccs.l - 1); + let pedersen_params = Pedersen::::new_params(&mut rng, ccs.n - ccs.l - 1); let (lcccs_instance, _) = ccs.to_lcccs(&mut rng, &pedersen_params, &z1).unwrap(); let sigmas_thetas = compute_sigmas_and_thetas(&ccs, &[z1.clone()], &[z2.clone()], &r_x_prime); @@ -224,7 +224,7 @@ mod tests { let r_x_prime: Vec = (0..ccs.s).map(|_| Fr::rand(&mut rng)).collect(); // Initialize a multifolding object - let pedersen_params = Pedersen::new_params(&mut rng, ccs.n - ccs.l - 1); + let pedersen_params = Pedersen::::new_params(&mut rng, ccs.n - ccs.l - 1); let (lcccs_instance, _) = ccs.to_lcccs(&mut rng, &pedersen_params, &z1).unwrap(); let sigmas_thetas = compute_sigmas_and_thetas(&ccs, &[z1.clone()], &[z2.clone()], &r_x_prime); @@ -267,7 +267,7 @@ mod tests { let r_x_prime: Vec = (0..ccs.s).map(|_| Fr::rand(&mut rng)).collect(); // Initialize a multifolding object - let pedersen_params = Pedersen::new_params(&mut rng, ccs.n - ccs.l - 1); + let pedersen_params = Pedersen::::new_params(&mut rng, ccs.n - ccs.l - 1); let (lcccs_instance, _) = ccs.to_lcccs(&mut rng, &pedersen_params, &z1).unwrap(); let sigmas_thetas = compute_sigmas_and_thetas(&ccs, &[z1.clone()], &[z2.clone()], &r_x_prime); diff --git a/folding-schemes/src/folding/hypernova/lcccs.rs b/folding-schemes/src/folding/hypernova/lcccs.rs index 03a30b3..66d47ed 100644 --- a/folding-schemes/src/folding/hypernova/lcccs.rs +++ b/folding-schemes/src/folding/hypernova/lcccs.rs @@ -46,7 +46,7 @@ impl CCS { ) -> Result<(LCCCS, Witness), Error> { let w: Vec = z[(1 + self.l)..].to_vec(); let r_w = C::ScalarField::rand(rng); - let C = Pedersen::commit(pedersen_params, &w, &r_w)?; + let C = Pedersen::::commit(pedersen_params, &w, &r_w)?; let r_x: Vec = (0..self.s).map(|_| C::ScalarField::rand(rng)).collect(); let v = self.compute_v_j(z, &r_x); @@ -96,8 +96,8 @@ impl LCCCS { w: &Witness, ) -> Result<(), Error> { // check that C is the commitment of w. Notice that this is not verifying a Pedersen - // opening, but checking that the commitment comes from committing to the witness. - if self.C != Pedersen::commit(pedersen_params, &w.w, &w.r_w)? { + // opening, but checking that the Commmitment comes from committing to the witness. + if self.C != Pedersen::::commit(pedersen_params, &w.w, &w.r_w)? { return Err(Error::NotSatisfied); } diff --git a/folding-schemes/src/folding/hypernova/nimfs.rs b/folding-schemes/src/folding/hypernova/nimfs.rs index 6872db1..f8694f5 100644 --- a/folding-schemes/src/folding/hypernova/nimfs.rs +++ b/folding-schemes/src/folding/hypernova/nimfs.rs @@ -430,7 +430,7 @@ pub mod tests { // Create a basic CCS circuit let ccs = get_test_ccs::(); - let pedersen_params = Pedersen::new_params(&mut rng, ccs.n - ccs.l - 1); + let pedersen_params = Pedersen::::new_params(&mut rng, ccs.n - ccs.l - 1); // Generate a satisfying witness let z_1 = get_test_z(3); @@ -489,7 +489,7 @@ pub mod tests { let ccs = get_test_ccs::(); - let pedersen_params = Pedersen::new_params(&mut rng, ccs.n - ccs.l - 1); + let pedersen_params = Pedersen::::new_params(&mut rng, ccs.n - ccs.l - 1); // LCCCS witness let z_1 = get_test_z(2); @@ -557,7 +557,7 @@ pub mod tests { // Create a basic CCS circuit let ccs = get_test_ccs::(); - let pedersen_params = Pedersen::new_params(&mut rng, ccs.n - ccs.l - 1); + let pedersen_params = Pedersen::::new_params(&mut rng, ccs.n - ccs.l - 1); let mu = 10; let nu = 15; @@ -639,7 +639,7 @@ pub mod tests { // Create a basic CCS circuit let ccs = get_test_ccs::(); - let pedersen_params = Pedersen::new_params(&mut rng, ccs.n - ccs.l - 1); + let pedersen_params = Pedersen::::new_params(&mut rng, ccs.n - ccs.l - 1); let poseidon_config = poseidon_test_config::(); // Prover's transcript diff --git a/folding-schemes/src/folding/hypernova/utils.rs b/folding-schemes/src/folding/hypernova/utils.rs index c5a5bcc..219a417 100644 --- a/folding-schemes/src/folding/hypernova/utils.rs +++ b/folding-schemes/src/folding/hypernova/utils.rs @@ -290,7 +290,7 @@ pub mod tests { let r_x_prime: Vec = (0..ccs.s).map(|_| Fr::rand(&mut rng)).collect(); // Initialize a multifolding object - let pedersen_params = Pedersen::new_params(&mut rng, ccs.n - ccs.l - 1); + let pedersen_params = Pedersen::::new_params(&mut rng, ccs.n - ccs.l - 1); let (lcccs_instance, _) = ccs.to_lcccs(&mut rng, &pedersen_params, &z1).unwrap(); let sigmas_thetas = @@ -333,7 +333,7 @@ pub mod tests { let beta: Vec = (0..ccs.s).map(|_| Fr::rand(&mut rng)).collect(); // Initialize a multifolding object - let pedersen_params = Pedersen::new_params(&mut rng, ccs.n - ccs.l - 1); + let pedersen_params = Pedersen::::new_params(&mut rng, ccs.n - ccs.l - 1); let (lcccs_instance, _) = ccs.to_lcccs(&mut rng, &pedersen_params, &z1).unwrap(); let mut sum_v_j_gamma = Fr::zero(); diff --git a/folding-schemes/src/folding/nova/circuits.rs b/folding-schemes/src/folding/nova/circuits.rs index fe4e385..c81ad01 100644 --- a/folding-schemes/src/folding/nova/circuits.rs +++ b/folding-schemes/src/folding/nova/circuits.rs @@ -654,7 +654,6 @@ pub mod tests { .generate_constraints(cs.clone()) .unwrap(); cs.finalize(); - println!("num_constraints={:?}", cs.num_constraints()); let cs = cs.into_inner().unwrap(); let r1cs = extract_r1cs::(&cs); let (w, x) = extract_w_x::(&cs); diff --git a/folding-schemes/src/folding/nova/cyclefold.rs b/folding-schemes/src/folding/nova/cyclefold.rs index 54dbb74..2cc7bc8 100644 --- a/folding-schemes/src/folding/nova/cyclefold.rs +++ b/folding-schemes/src/folding/nova/cyclefold.rs @@ -459,7 +459,6 @@ pub mod tests { .unwrap(); nifs_cf_check.enforce_equal(&Boolean::::TRUE).unwrap(); assert!(cs.is_satisfied().unwrap()); - dbg!(cs.num_constraints()); } #[test] @@ -500,7 +499,6 @@ pub mod tests { .unwrap(); nifs_check.enforce_equal(&Boolean::::TRUE).unwrap(); assert!(cs.is_satisfied().unwrap()); - dbg!(cs.num_constraints()); } #[test] diff --git a/folding-schemes/src/folding/nova/decider_eth_circuit.rs b/folding-schemes/src/folding/nova/decider_eth_circuit.rs index 12fb98b..1e6dc7b 100644 --- a/folding-schemes/src/folding/nova/decider_eth_circuit.rs +++ b/folding-schemes/src/folding/nova/decider_eth_circuit.rs @@ -370,13 +370,6 @@ where // `#[cfg(not(test))]` use crate::commitment::pedersen::PedersenGadget; use crate::folding::nova::cyclefold::{CycleFoldCommittedInstanceVar, CF_IO_LEN}; - use ark_r1cs_std::ToBitsGadget; - - let cf_r1cs = R1CSVar::< - C1::BaseField, - CF1, - NonNativeFieldVar>, - >::new_witness(cs.clone(), || Ok(self.cf_r1cs.clone()))?; let cf_u_dummy_native = CommittedInstance::::dummy(CF_IO_LEN); let w_dummy_native = Witness::::new( @@ -393,28 +386,24 @@ where // 5. check Pedersen commitments of cf_U_i.{cmE, cmW} let H = GC2::new_constant(cs.clone(), self.cf_pedersen_params.h)?; let G = Vec::::new_constant(cs.clone(), self.cf_pedersen_params.generators)?; - let cf_W_i_E_bits: Vec>>> = cf_W_i - .E - .iter() - .map(|E_i| E_i.to_bits_le().unwrap()) - .collect(); - let cf_W_i_W_bits: Vec>>> = cf_W_i - .W - .iter() - .map(|W_i| W_i.to_bits_le().unwrap()) - .collect(); let computed_cmE = PedersenGadget::::commit( H.clone(), G.clone(), - cf_W_i_E_bits, - cf_W_i.rE.to_bits_le()?, + cf_W_i.E.clone(), + cf_W_i.rE, )?; cf_U_i.cmE.enforce_equal(&computed_cmE)?; let computed_cmW = - PedersenGadget::::commit(H, G, cf_W_i_W_bits, cf_W_i.rW.to_bits_le()?)?; + PedersenGadget::::commit(H, G, cf_W_i.W.clone(), cf_W_i.rW)?; cf_U_i.cmW.enforce_equal(&computed_cmW)?; + let cf_r1cs = R1CSVar::< + C1::BaseField, + CF1, + NonNativeFieldVar>, + >::new_witness(cs.clone(), || Ok(self.cf_r1cs.clone()))?; + // 6. check RelaxedR1CS of cf_U_i let cf_z_U: Vec>> = [vec![cf_U_i.u.clone()], cf_U_i.x.to_vec(), cf_W_i.W.to_vec()].concat(); @@ -681,6 +670,5 @@ pub mod tests { // generate the constraints and check that are satisfied by the inputs decider_circuit.generate_constraints(cs.clone()).unwrap(); assert!(cs.is_satisfied().unwrap()); - dbg!(cs.num_constraints()); } } diff --git a/folding-schemes/src/folding/nova/nifs.rs b/folding-schemes/src/folding/nova/nifs.rs index 21198f0..28b8fa9 100644 --- a/folding-schemes/src/folding/nova/nifs.rs +++ b/folding-schemes/src/folding/nova/nifs.rs @@ -190,9 +190,9 @@ where T: Vec, cmT: &C, ) -> Result<[CP::Proof; 3], Error> { - let cmE_proof = CP::prove(cm_prover_params, tr, &ci.cmE, &w.E, &w.rE)?; - let cmW_proof = CP::prove(cm_prover_params, tr, &ci.cmW, &w.W, &w.rW)?; - let cmT_proof = CP::prove(cm_prover_params, tr, cmT, &T, &C::ScalarField::one())?; // cm(T) is committed with rT=1 + let cmE_proof = CP::prove(cm_prover_params, tr, &ci.cmE, &w.E, &w.rE, None)?; + let cmW_proof = CP::prove(cm_prover_params, tr, &ci.cmW, &w.W, &w.rW, None)?; + let cmT_proof = CP::prove(cm_prover_params, tr, cmT, &T, &C::ScalarField::one(), None)?; // cm(T) is committed with rT=1 Ok([cmE_proof, cmW_proof, cmT_proof]) } } diff --git a/folding-schemes/src/folding/protogalaxy/folding.rs b/folding-schemes/src/folding/protogalaxy/folding.rs index b1491ca..946d15d 100644 --- a/folding-schemes/src/folding/protogalaxy/folding.rs +++ b/folding-schemes/src/folding/protogalaxy/folding.rs @@ -18,7 +18,8 @@ use super::{CommittedInstance, Witness}; use crate::ccs::r1cs::R1CS; use crate::transcript::Transcript; -use crate::utils::{bit::bit_decompose, vec::*}; +use crate::utils::vec::*; +use crate::utils::virtual_polynomial::bit_decompose; use crate::Error; #[derive(Clone, Debug)] diff --git a/folding-schemes/src/lib.rs b/folding-schemes/src/lib.rs index 256e92a..4e1d6de 100644 --- a/folding-schemes/src/lib.rs +++ b/folding-schemes/src/lib.rs @@ -40,10 +40,14 @@ pub enum Error { NotSameLength(String, usize, String, usize), #[error("Vector's length ({0}) is not the expected ({1})")] NotExpectedLength(usize, usize), + #[error("Vector ({0}) length ({1}) is not a power of two")] + NotPowerOfTwo(String, usize), #[error("Can not be empty")] Empty, #[error("Pedersen parameters length is not sufficient (generators.len={0} < vector.len={1} unsatisfied)")] PedersenParamsLen(usize, usize), + #[error("Randomness for blinding not found")] + MissingRandomness, #[error("Commitment verification failed")] CommitmentVerificationFail, #[error("IVC verification failed")] diff --git a/folding-schemes/src/utils/bit.rs b/folding-schemes/src/utils/bit.rs deleted file mode 100644 index 0e7a024..0000000 --- a/folding-schemes/src/utils/bit.rs +++ /dev/null @@ -1,9 +0,0 @@ -pub fn bit_decompose(input: u64, n: usize) -> Vec { - let mut res = Vec::with_capacity(n); - let mut i = input; - for _ in 0..n { - res.push(i & 1 == 1); - i >>= 1; - } - res -} diff --git a/folding-schemes/src/utils/mod.rs b/folding-schemes/src/utils/mod.rs index a095df0..5361804 100644 --- a/folding-schemes/src/utils/mod.rs +++ b/folding-schemes/src/utils/mod.rs @@ -1,4 +1,5 @@ -pub mod bit; +use ark_ff::PrimeField; + pub mod gadgets; pub mod hypercube; pub mod lagrange_poly; @@ -10,3 +11,13 @@ pub mod espresso; pub use crate::utils::espresso::multilinear_polynomial; pub use crate::utils::espresso::sum_check; pub use crate::utils::espresso::virtual_polynomial; + +/// For a given x, returns [1, x^1, x^2, ..., x^n-1]; +pub fn powers_of(x: F, n: usize) -> Vec { + let mut c: Vec = vec![F::zero(); n]; + c[0] = F::one(); + for i in 1..n { + c[i] = c[i - 1] * x; + } + c +}