Add IPA commitment scheme and the respective circuit verifier gadget (#72)

* Add IPA commitment native implementation * Add IPA Gadget verifier * polish Pedersen & IPA, add blind bool param to IPA * Optimize IPA gadget constraints (and native): - optimize <s,b> computation from linear to log time - optimize s computation from k*2^k to k*(2^k)/2 * add small optimization: delegate u_i^-1 to prover and just check u_i*u_i^-1==1 in verifier circuit * IPA polish and document * Add 'BLIND' parameter to CommitmentProver trait (and to Pedersen and KZG impls). Fit IPA into CommitmentProver trait. * rename 'BLIND' to 'H' (hiding) in commitment * IPA: rm u_invs from Proof and compute them incircuit * Update IPA's build_s & gadget to use Halo2 approach following @han0110 's suggestion. This reduced further the amount of constraints needed. - for k=4: -9k constraints (-7%) - for k=8: -473k constr (-31%) - for k=9: -1123k constr (-35%) - for k=10: -2578k constr (-39%) And now IPA verification (without amortizing) is very close to Pedersen verification (in-circuits). * rm dbg!(cs.num_constraints()) from multiple tests * IPA::prove remove intermediate v_lo,v_hi vectors, add doc to build_s_gadget * move powers_of into utils/mod.rs, update iters to cfg_iter
2026-02-02 17:26:44 +01:00 · 2024-03-01 09:52:07 +01:00
parent 9159c5c84c
commit b25037e34c
18 changed files with 796 additions and 96 deletions
--- a/folding-schemes/src/commitment/mod.rs
+++ b/folding-schemes/src/commitment/mod.rs
@@ -1,14 +1,17 @@
 use ark_ec::CurveGroup;
 use ark_std::fmt::Debug;
+use ark_std::rand::RngCore;

 use crate::transcript::Transcript;
 use crate::Error;

+pub mod ipa;
 pub mod kzg;
 pub mod pedersen;

-/// CommitmentProver defines the vector commitment scheme prover trait.
-pub trait CommitmentProver<C: CurveGroup>: Clone + Debug {
+/// CommitmentProver defines the vector commitment scheme prover trait. Where `H` indicates if to
+/// use the commitment in hiding mode or not.
+pub trait CommitmentProver<C: CurveGroup, const H: bool = false>: Clone + Debug {
    type Params: Clone + Debug;
    type Proof: Clone + Debug;

@@ -23,6 +26,7 @@ pub trait CommitmentProver<C: CurveGroup>: Clone + Debug {
        cm: &C,
        v: &[C::ScalarField],
        blind: &C::ScalarField,
+        rng: Option<&mut dyn RngCore>,
    ) -> Result<Self::Proof, Error>;
 }

@@ -65,7 +69,15 @@ mod tests {
        let v_3: Vec<C::ScalarField> = v_1.iter().zip(v_2).map(|(a, b)| *a + (r * b)).collect();

        let transcript = &mut PoseidonTranscript::<C>::new(poseidon_config);
-        let proof = CP::prove(params, transcript, &cm_3, &v_3, &C::ScalarField::zero()).unwrap();
+        let proof = CP::prove(
+            params,
+            transcript,
+            &cm_3,
+            &v_3,
+            &C::ScalarField::zero(),
+            None,
+        )
+        .unwrap();

        Ok((cm_3, proof))
    }