Fit Nova+CycleFold into FoldingScheme trait & Add examples/ for f…

…olding SHA256 circuit (#64) * Update FoldingSchemes trait, fit Nova+CycleFold - update lib.rs's `FoldingScheme` trait interface - fit Nova+CycleFold into the `FoldingScheme` trait - refactor `src/nova/*` * Add `examples` dir, with Nova's `FoldingScheme` example * polishing * expose poseidon_test_config outside tests
privacy-scaling-explorations · Feb 2, 2024 · 186766c · 186766c
1 parent f85a056
commit 186766c
Show file tree

Hide file tree

Showing 18 changed files with 916 additions and 574 deletions.
diff --git a/examples/fold_sha256.rs b/examples/fold_sha256.rs
@@ -0,0 +1,172 @@
+#![allow(non_snake_case)]
+#![allow(non_upper_case_globals)]
+#![allow(non_camel_case_types)]
+#![allow(clippy::upper_case_acronyms)]
+
+use ark_crypto_primitives::crh::{
+    sha256::{
+        constraints::{Sha256Gadget, UnitVar},
+        Sha256,
+    },
+    CRHScheme, CRHSchemeGadget,
+};
+use ark_ff::{BigInteger, PrimeField, ToConstraintField};
+use ark_r1cs_std::{fields::fp::FpVar, ToBytesGadget, ToConstraintFieldGadget};
+use ark_relations::r1cs::{ConstraintSystemRef, SynthesisError};
+use core::marker::PhantomData;
+use std::time::Instant;
+
+use ark_pallas::{constraints::GVar, Fr, Projective};
+use ark_vesta::{constraints::GVar as GVar2, Projective as Projective2};
+
+use folding_schemes::commitment::pedersen::Pedersen;
+use folding_schemes::folding::nova::{get_r1cs, Nova, ProverParams, VerifierParams};
+use folding_schemes::frontend::FCircuit;
+use folding_schemes::transcript::poseidon::poseidon_test_config;
+use folding_schemes::{Error, FoldingScheme};
+
+/// This is the circuit that we want to fold, it implements the FCircuit trait.
+/// The parameter z_i denotes the current state, and z_{i+1} denotes the next state which we get by
+/// applying the step.
+/// In this example we set z_i and z_{i+1} to be a single value, but the trait is made to support
+/// arrays, so our state could be an array with different values.
+#[derive(Clone, Copy, Debug)]
+pub struct Sha256FCircuit<F: PrimeField> {
+    _f: PhantomData<F>,
+}
+impl<F: PrimeField> FCircuit<F> for Sha256FCircuit<F> {
+    type Params = ();
+
+    fn new(_params: Self::Params) -> Self {
+        Self { _f: PhantomData }
+    }
+
+    /// computes the next state values in place, assigning z_{i+1} into z_i, and computing the new
+    /// z_{i+1}
+    fn step_native(self, z_i: Vec<F>) -> Result<Vec<F>, Error> {
+        let out_bytes = Sha256::evaluate(&(), z_i[0].into_bigint().to_bytes_le()).unwrap();
+        let out: Vec<F> = out_bytes.to_field_elements().unwrap();
+
+        Ok(vec![out[0]])
+    }
+
+    /// generates the constraints for the step of F for the given z_i
+    fn generate_step_constraints(
+        self,
+        _cs: ConstraintSystemRef<F>,
+        z_i: Vec<FpVar<F>>,
+    ) -> Result<Vec<FpVar<F>>, SynthesisError> {
+        let unit_var = UnitVar::default();
+        let out_bytes = Sha256Gadget::evaluate(&unit_var, &z_i[0].to_bytes()?)?;
+        let out = out_bytes.0.to_constraint_field()?;
+        Ok(vec![out[0].clone()])
+    }
+}
+
+/// cargo test --example simple
+#[cfg(test)]
+pub mod tests {
+    use super::*;
+    use ark_r1cs_std::alloc::AllocVar;
+    use ark_relations::r1cs::ConstraintSystem;
+
+    // test to check that the Sha256FCircuit computes the same values inside and outside the circuit
+    #[test]
+    fn test_sha256_f_circuit() {
+        let cs = ConstraintSystem::<Fr>::new_ref();
+
+        let circuit = Sha256FCircuit::<Fr>::new(());
+        let z_i = vec![Fr::from(1_u32)];
+
+        let z_i1 = circuit.step_native(z_i.clone()).unwrap();
+
+        let z_iVar = Vec::<FpVar<Fr>>::new_witness(cs.clone(), || Ok(z_i)).unwrap();
+        let computed_z_i1Var = circuit
+            .generate_step_constraints(cs.clone(), z_iVar.clone())
+            .unwrap();
+        assert_eq!(computed_z_i1Var.value().unwrap(), z_i1);
+    }
+}
+
+// This method computes the Prover & Verifier parameters for the example. For a real world use case
+// those parameters should be generated carefuly (both the PoseidonConfig and the PedersenParams)
+#[allow(clippy::type_complexity)]
+fn nova_setup<FC: FCircuit<Fr>>(
+    F_circuit: FC,
+) -> (
+    ProverParams<Projective, Projective2, Pedersen<Projective>, Pedersen<Projective2>>,
+    VerifierParams<Projective, Projective2>,
+) {
+    let mut rng = ark_std::test_rng();
+    let poseidon_config = poseidon_test_config::<Fr>();
+
+    // get the CM & CF_CM len
+    let (r1cs, cf_r1cs) =
+        get_r1cs::<Projective, GVar, Projective2, GVar2, FC>(&poseidon_config, F_circuit).unwrap();
+    let cm_len = r1cs.A.n_rows;
+    let cf_cm_len = cf_r1cs.A.n_rows;
+
+    let pedersen_params = Pedersen::<Projective>::new_params(&mut rng, cm_len);
+    let cf_pedersen_params = Pedersen::<Projective2>::new_params(&mut rng, cf_cm_len);
+
+    let prover_params =
+        ProverParams::<Projective, Projective2, Pedersen<Projective>, Pedersen<Projective2>> {
+            poseidon_config: poseidon_config.clone(),
+            cm_params: pedersen_params,
+            cf_cm_params: cf_pedersen_params,
+        };
+    let verifier_params = VerifierParams::<Projective, Projective2> {
+        poseidon_config: poseidon_config.clone(),
+        r1cs,
+        cf_r1cs,
+    };
+    (prover_params, verifier_params)
+}
+
+/// cargo run --release --example fold_sha256
+fn main() {
+    let num_steps = 10;
+    let initial_state = vec![Fr::from(1_u32)];
+
+    let F_circuit = Sha256FCircuit::<Fr>::new(());
+
+    println!("Prepare Nova ProverParams & VerifierParams");
+    let (prover_params, verifier_params) = nova_setup::<Sha256FCircuit<Fr>>(F_circuit);
+
+    /// The idea here is that eventually we could replace the next line chunk that defines the
+    /// `type NOVA = Nova<...>` by using another folding scheme that fulfills the `FoldingScheme`
+    /// trait, and the rest of our code would be working without needing to be updated.
+    type NOVA = Nova<
+        Projective,
+        GVar,
+        Projective2,
+        GVar2,
+        Sha256FCircuit<Fr>,
+        Pedersen<Projective>,
+        Pedersen<Projective2>,
+    >;
+
+    println!("Initialize FoldingScheme");
+    let mut folding_scheme = NOVA::init(&prover_params, F_circuit, initial_state.clone()).unwrap();
+
+    // compute a step of the IVC
+    for i in 0..num_steps {
+        let start = Instant::now();
+        folding_scheme.prove_step().unwrap();
+        println!("Nova::prove_step {}: {:?}", i, start.elapsed());
+    }
+
+    let (running_instance, incomming_instance, cyclefold_instance) = folding_scheme.instances();
+
+    println!("Run the Nova's IVC verifier");
+    NOVA::verify(
+        verifier_params,
+        initial_state,
+        folding_scheme.state(), // latest state
+        Fr::from(num_steps as u32),
+        running_instance,
+        incomming_instance,
+        cyclefold_instance,
+    )
+    .unwrap();
+}
diff --git a/src/commitment/kzg.rs b/src/commitment/kzg.rs
@@ -65,6 +65,7 @@ where
 }
 
 /// KZGProver implements the CommitmentProver trait for the KZG commitment scheme.
+#[derive(Debug, Clone, Default, Eq, PartialEq)]
 pub struct KZGProver<'a, C: CurveGroup> {
     _a: PhantomData<&'a ()>,
     _c: PhantomData<C>,
@@ -196,7 +197,7 @@ mod tests {
     use ark_std::{test_rng, UniformRand};
 
     use super::*;
-    use crate::transcript::poseidon::{tests::poseidon_test_config, PoseidonTranscript};
+    use crate::transcript::poseidon::{poseidon_test_config, PoseidonTranscript};
 
     #[test]
     fn test_kzg_commitment_scheme() {

diff --git a/src/commitment/mod.rs b/src/commitment/mod.rs
@@ -8,9 +8,9 @@ pub mod kzg;
 pub mod pedersen;
 
 /// CommitmentProver defines the vector commitment scheme prover trait.
-pub trait CommitmentProver<C: CurveGroup> {
-    type Params: Debug;
-    type Proof: Debug;
+pub trait CommitmentProver<C: CurveGroup>: Clone + Debug {
+    type Params: Clone + Debug;
+    type Proof: Clone + Debug;
 
     fn commit(
         params: &Self::Params,
@@ -41,7 +41,7 @@ mod tests {
     use super::kzg::{KZGProver, KZGSetup, ProverKey};
     use super::pedersen::Pedersen;
     use crate::transcript::{
-        poseidon::{tests::poseidon_test_config, PoseidonTranscript},
+        poseidon::{poseidon_test_config, PoseidonTranscript},
         Transcript,
     };
 

diff --git a/src/commitment/pedersen.rs b/src/commitment/pedersen.rs
@@ -165,7 +165,7 @@ mod tests {
     use ark_std::UniformRand;
 
     use super::*;
-    use crate::transcript::poseidon::{tests::poseidon_test_config, PoseidonTranscript};
+    use crate::transcript::poseidon::{poseidon_test_config, PoseidonTranscript};
 
     #[test]
     fn test_pedersen_vector() {

diff --git a/src/constants.rs b/src/constants.rs
@@ -1,5 +1,5 @@
 // used for the RO challenges.
-// From [Srinath Setty](research.microsoft.com/en-us/people/srinath/): In Nova, soundness error ≤
-// 2/|S|, where S is the subset of the field F from which the challenges are drawn. In this case,
-// we keep the size of S close to 2^128.
+// From [Srinath Setty](https://microsoft.com/en-us/research/people/srinath/): In Nova, soundness
+// error ≤ 2/|S|, where S is the subset of the field F from which the challenges are drawn. In this
+// case, we keep the size of S close to 2^128.
 pub const N_BITS_RO: usize = 128;
diff --git a/src/folding/circuits/sum_check.rs b/src/folding/circuits/sum_check.rs
@@ -176,7 +176,7 @@ mod tests {
     use crate::{
         folding::circuits::sum_check::{IOPProofVar, VPAuxInfoVar},
         transcript::{
-            poseidon::{tests::poseidon_test_config, PoseidonTranscript, PoseidonTranscriptVar},
+            poseidon::{poseidon_test_config, PoseidonTranscript, PoseidonTranscriptVar},
             Transcript, TranscriptVar,
         },
         utils::{

diff --git a/src/folding/hypernova/nimfs.rs b/src/folding/hypernova/nimfs.rs
@@ -373,7 +373,7 @@ where
 pub mod tests {
     use super::*;
     use crate::ccs::tests::{get_test_ccs, get_test_z};
-    use crate::transcript::poseidon::tests::poseidon_test_config;
+    use crate::transcript::poseidon::poseidon_test_config;
     use crate::transcript::poseidon::PoseidonTranscript;
     use ark_std::test_rng;
     use ark_std::UniformRand;

diff --git a/src/folding/nova/circuits.rs b/src/folding/nova/circuits.rs
@@ -473,10 +473,10 @@ pub mod tests {
     use crate::commitment::pedersen::Pedersen;
     use crate::folding::nova::nifs::tests::prepare_simple_fold_inputs;
     use crate::folding::nova::{
-        ivc::get_committed_instance_coordinates, nifs::NIFS, traits::NovaR1CS, Witness,
+        get_committed_instance_coordinates, nifs::NIFS, traits::NovaR1CS, Witness,
     };
     use crate::frontend::tests::CubicFCircuit;
-    use crate::transcript::poseidon::tests::poseidon_test_config;
+    use crate::transcript::poseidon::poseidon_test_config;
 
     #[test]
     fn test_committed_instance_var() {

diff --git a/src/folding/nova/cyclefold.rs b/src/folding/nova/cyclefold.rs
@@ -402,7 +402,7 @@ pub mod tests {
     use ark_std::UniformRand;
 
     use crate::folding::nova::nifs::tests::prepare_simple_fold_inputs;
-    use crate::transcript::poseidon::tests::poseidon_test_config;
+    use crate::transcript::poseidon::poseidon_test_config;
 
     #[test]
     fn test_committed_instance_cyclefold_var() {