From 644440b9bb3e85814854a6cfb109493dbd6ca09d Mon Sep 17 00:00:00 2001 From: arnaucube Date: Thu, 25 Jan 2024 14:45:01 +0100 Subject: [PATCH] Add CommitmentProver trait, and add KZG prover to it (#62) * Add KZG commitment scheme adapted to vector commitment Add KZG commitment scheme adapted to vector commitment Also move the `src/pedersen.rs` into `src/commitment/pedersen.rs` where it will coexist with `kzg.rs` and the trait defined in `src/commitment/mod.rs`. * Adapt Pedersen into the new CommitmentProver trait * add CommitmentProver (Pedersen&KZG) homomorphic property test * polishing * Use divide_with_q_and_r, rename skip_first_zero_coeffs Co-authored-by: han0110 --------- Co-authored-by: han0110 --- folding-schemes/src/folding/hypernova/cccs.rs | 5 +- .../src/folding/hypernova/circuit.rs | 2 +- .../src/folding/hypernova/lcccs.rs | 5 +- .../src/folding/hypernova/nimfs.rs | 4 +- .../src/folding/hypernova/utils.rs | 2 +- folding-schemes/src/folding/nova/circuits.rs | 2 +- folding-schemes/src/folding/nova/decider.rs | 4 +- folding-schemes/src/folding/nova/ivc.rs | 2 +- folding-schemes/src/folding/nova/mod.rs | 11 +- folding-schemes/src/folding/nova/nifs.rs | 5 +- .../src/folding/protogalaxy/folding.rs | 2 +- folding-schemes/src/lib.rs | 12 +- folding-schemes/src/pedersen.rs | 221 ----------------- src/commitment/kzg.rs | 234 ++++++++++++++++++ src/commitment/mod.rs | 127 ++++++++++ src/commitment/pedersen.rs | 229 +++++++++++++++++ 16 files changed, 628 insertions(+), 239 deletions(-) create mode 100644 src/commitment/kzg.rs create mode 100644 src/commitment/mod.rs create mode 100644 src/commitment/pedersen.rs diff --git a/folding-schemes/src/folding/hypernova/cccs.rs b/folding-schemes/src/folding/hypernova/cccs.rs index 1ece6195..275cef96 100644 --- a/folding-schemes/src/folding/hypernova/cccs.rs +++ b/folding-schemes/src/folding/hypernova/cccs.rs @@ -9,7 +9,10 @@ use ark_std::{rand::Rng, UniformRand}; use super::utils::compute_sum_Mz; use crate::ccs::CCS; -use crate::pedersen::{Params as PedersenParams, Pedersen}; +use crate::commitment::{ + pedersen::{Params as PedersenParams, Pedersen}, + CommitmentProver, +}; use crate::utils::hypercube::BooleanHypercube; use crate::utils::mle::matrix_to_mle; use crate::utils::mle::vec_to_mle; diff --git a/folding-schemes/src/folding/hypernova/circuit.rs b/folding-schemes/src/folding/hypernova/circuit.rs index 4789bfa1..9b672bad 100644 --- a/folding-schemes/src/folding/hypernova/circuit.rs +++ b/folding-schemes/src/folding/hypernova/circuit.rs @@ -157,11 +157,11 @@ mod tests { tests::{get_test_ccs, get_test_z}, CCS, }, + commitment::pedersen::Pedersen, folding::hypernova::utils::{ compute_c_from_sigmas_and_thetas, compute_sigmas_and_thetas, sum_ci_mul_prod_thetaj, sum_muls_gamma_pows_eq_sigma, }, - pedersen::Pedersen, utils::virtual_polynomial::eq_eval, }; use ark_pallas::{Fr, Projective}; diff --git a/folding-schemes/src/folding/hypernova/lcccs.rs b/folding-schemes/src/folding/hypernova/lcccs.rs index d107ddff..f7c25270 100644 --- a/folding-schemes/src/folding/hypernova/lcccs.rs +++ b/folding-schemes/src/folding/hypernova/lcccs.rs @@ -8,7 +8,10 @@ use ark_std::{rand::Rng, UniformRand}; use super::cccs::Witness; use super::utils::{compute_all_sum_Mz_evals, compute_sum_Mz}; use crate::ccs::CCS; -use crate::pedersen::{Params as PedersenParams, Pedersen}; +use crate::commitment::{ + pedersen::{Params as PedersenParams, Pedersen}, + CommitmentProver, +}; use crate::utils::mle::{matrix_to_mle, vec_to_mle}; use crate::utils::virtual_polynomial::VirtualPolynomial; use crate::Error; diff --git a/folding-schemes/src/folding/hypernova/nimfs.rs b/folding-schemes/src/folding/hypernova/nimfs.rs index a8ee4dc6..da408e16 100644 --- a/folding-schemes/src/folding/hypernova/nimfs.rs +++ b/folding-schemes/src/folding/hypernova/nimfs.rs @@ -213,7 +213,7 @@ where ////////////////////////////////////////////////////////////////////// let mut g_over_bhc = C::ScalarField::zero(); for x in BooleanHypercube::new(ccs.s) { - g_over_bhc += g.evaluate(&x).unwrap(); + g_over_bhc += g.evaluate(&x)?; } // note: this is the sum of g(x) over the whole boolean hypercube @@ -378,7 +378,7 @@ pub mod tests { use ark_std::test_rng; use ark_std::UniformRand; - use crate::pedersen::Pedersen; + use crate::commitment::pedersen::Pedersen; use ark_pallas::{Fr, Projective}; #[test] diff --git a/folding-schemes/src/folding/hypernova/utils.rs b/folding-schemes/src/folding/hypernova/utils.rs index 0db62f13..c5a5bcce 100644 --- a/folding-schemes/src/folding/hypernova/utils.rs +++ b/folding-schemes/src/folding/hypernova/utils.rs @@ -199,7 +199,7 @@ pub mod tests { use ark_std::Zero; use crate::ccs::tests::{get_test_ccs, get_test_z}; - use crate::pedersen::Pedersen; + use crate::commitment::pedersen::Pedersen; use crate::utils::multilinear_polynomial::tests::fix_last_variables; use crate::utils::virtual_polynomial::eq_eval; diff --git a/folding-schemes/src/folding/nova/circuits.rs b/folding-schemes/src/folding/nova/circuits.rs index 109c605c..e79de6d0 100644 --- a/folding-schemes/src/folding/nova/circuits.rs +++ b/folding-schemes/src/folding/nova/circuits.rs @@ -470,12 +470,12 @@ pub mod tests { use tracing_subscriber::layer::SubscriberExt; use crate::ccs::r1cs::{extract_r1cs, extract_w_x}; + use crate::commitment::pedersen::Pedersen; use crate::folding::nova::nifs::tests::prepare_simple_fold_inputs; use crate::folding::nova::{ ivc::get_committed_instance_coordinates, nifs::NIFS, traits::NovaR1CS, Witness, }; use crate::frontend::tests::CubicFCircuit; - use crate::pedersen::Pedersen; use crate::transcript::poseidon::tests::poseidon_test_config; #[test] diff --git a/folding-schemes/src/folding/nova/decider.rs b/folding-schemes/src/folding/nova/decider.rs index 75022ef6..a3719ede 100644 --- a/folding-schemes/src/folding/nova/decider.rs +++ b/folding-schemes/src/folding/nova/decider.rs @@ -18,13 +18,13 @@ use ark_std::{One, Zero}; use core::{borrow::Borrow, marker::PhantomData}; use crate::ccs::r1cs::R1CS; +use crate::commitment::pedersen::Params as PedersenParams; use crate::folding::nova::{ circuits::{CommittedInstanceVar, CF1, CF2}, ivc::IVC, CommittedInstance, Witness, }; use crate::frontend::FCircuit; -use crate::pedersen::Params as PedersenParams; use crate::utils::gadgets::{ hadamard, mat_vec_mul_sparse, vec_add, vec_scalar_mul, SparseMatrixVar, }; @@ -355,8 +355,8 @@ where { // imports here instead of at the top of the file, so we avoid having multiple // `#[cfg(not(test))] + use crate::commitment::pedersen::PedersenGadget; use crate::folding::nova::cyclefold::{CycleFoldCommittedInstanceVar, CF_IO_LEN}; - use crate::pedersen::PedersenGadget; use ark_r1cs_std::ToBitsGadget; let cf_r1cs = R1CSVar::< diff --git a/folding-schemes/src/folding/nova/ivc.rs b/folding-schemes/src/folding/nova/ivc.rs index 287bf742..cdbdd7ef 100644 --- a/folding-schemes/src/folding/nova/ivc.rs +++ b/folding-schemes/src/folding/nova/ivc.rs @@ -14,8 +14,8 @@ use super::{ use super::{nifs::NIFS, traits::NovaR1CS, CommittedInstance, Witness}; use crate::ccs::r1cs::R1CS; use crate::ccs::r1cs::{extract_r1cs, extract_w_x}; +use crate::commitment::pedersen::{Params as PedersenParams, Pedersen}; use crate::frontend::FCircuit; -use crate::pedersen::{Params as PedersenParams, Pedersen}; use crate::Error; #[cfg(test)] diff --git a/folding-schemes/src/folding/nova/mod.rs b/folding-schemes/src/folding/nova/mod.rs index a6e3eb62..172864ae 100644 --- a/folding-schemes/src/folding/nova/mod.rs +++ b/folding-schemes/src/folding/nova/mod.rs @@ -7,8 +7,11 @@ use ark_ec::{CurveGroup, Group}; use ark_std::fmt::Debug; use ark_std::{One, Zero}; +use crate::commitment::{ + pedersen::{Params as PedersenParams, Pedersen}, + CommitmentProver, +}; use crate::folding::circuits::nonnative::point_to_nonnative_limbs; -use crate::pedersen::{Params as PedersenParams, Pedersen}; use crate::utils::vec::is_zero_vec; use crate::Error; @@ -89,11 +92,13 @@ where ::ScalarField: Absorb, { pub fn new(w: Vec, e_len: usize) -> Self { + // note: at the current version, we don't use the blinding factors and we set them to 0 + // always. Self { E: vec![C::ScalarField::zero(); e_len], - rE: C::ScalarField::zero(), // because we use C::zero() as cmE + rE: C::ScalarField::zero(), W: w, - rW: C::ScalarField::one(), + rW: C::ScalarField::zero(), } } pub fn commit( diff --git a/folding-schemes/src/folding/nova/nifs.rs b/folding-schemes/src/folding/nova/nifs.rs index dd671a5d..289db079 100644 --- a/folding-schemes/src/folding/nova/nifs.rs +++ b/folding-schemes/src/folding/nova/nifs.rs @@ -5,7 +5,10 @@ use std::marker::PhantomData; use super::{CommittedInstance, Witness}; use crate::ccs::r1cs::R1CS; -use crate::pedersen::{Params as PedersenParams, Pedersen, Proof as PedersenProof}; +use crate::commitment::{ + pedersen::{Params as PedersenParams, Pedersen, Proof as PedersenProof}, + CommitmentProver, +}; use crate::transcript::Transcript; use crate::utils::vec::*; use crate::Error; diff --git a/folding-schemes/src/folding/protogalaxy/folding.rs b/folding-schemes/src/folding/protogalaxy/folding.rs index 7da1d396..ba5f8e73 100644 --- a/folding-schemes/src/folding/protogalaxy/folding.rs +++ b/folding-schemes/src/folding/protogalaxy/folding.rs @@ -369,7 +369,7 @@ mod tests { use ark_std::UniformRand; use crate::ccs::r1cs::tests::{get_test_r1cs, get_test_z}; - use crate::pedersen::Pedersen; + use crate::commitment::{pedersen::Pedersen, CommitmentProver}; use crate::transcript::poseidon::{tests::poseidon_test_config, PoseidonTranscript}; pub(crate) fn check_instance( diff --git a/folding-schemes/src/lib.rs b/folding-schemes/src/lib.rs index 873cdb36..3700f497 100644 --- a/folding-schemes/src/lib.rs +++ b/folding-schemes/src/lib.rs @@ -9,10 +9,10 @@ use thiserror::Error; pub mod transcript; use transcript::Transcript; pub mod ccs; +pub mod commitment; pub mod constants; pub mod folding; pub mod frontend; -pub mod pedersen; pub mod utils; #[derive(Debug, Error)] @@ -21,6 +21,10 @@ pub enum Error { SynthesisError(#[from] ark_relations::r1cs::SynthesisError), #[error("ark_serialize::SerializationError")] SerializationError(#[from] ark_serialize::SerializationError), + #[error("ark_poly_commit::Error")] + PolyCommitError(#[from] ark_poly_commit::Error), + #[error("crate::utils::espresso::virtual_polynomial::ArithErrors")] + ArithError(#[from] utils::espresso::virtual_polynomial::ArithErrors), #[error("{0}")] Other(String), @@ -36,8 +40,8 @@ pub enum Error { Empty, #[error("Pedersen parameters length is not suficient (generators.len={0} < vector.len={1} unsatisfied)")] PedersenParamsLen(usize, usize), - #[error("Pedersen verification failed")] - PedersenVerificationFail, + #[error("Commitment verification failed")] + CommitmentVerificationFail, #[error("IVC verification failed")] IVCVerificationFail, #[error("R1CS instance is expected to not be relaxed")] @@ -52,6 +56,8 @@ pub enum Error { OutOfBounds, #[error("Could not construct the Evaluation Domain")] NewDomainFail, + #[error("Feature '{0}' not supported yet")] + NotSupportedYet(String), #[error(transparent)] ProtoGalaxy(folding::protogalaxy::ProtoGalaxyError), diff --git a/folding-schemes/src/pedersen.rs b/folding-schemes/src/pedersen.rs index 82857140..8b137891 100644 --- a/folding-schemes/src/pedersen.rs +++ b/folding-schemes/src/pedersen.rs @@ -1,222 +1 @@ -use ark_ec::CurveGroup; -use ark_ff::Field; -use ark_r1cs_std::{boolean::Boolean, groups::GroupOpsBounds, prelude::CurveVar}; -use ark_relations::r1cs::SynthesisError; -use ark_std::{rand::Rng, UniformRand}; -use core::marker::PhantomData; -use crate::utils::vec::{vec_add, vec_scalar_mul}; - -use crate::transcript::Transcript; -use crate::Error; - -#[derive(Debug, Clone, Eq, PartialEq)] -pub struct Proof { - pub R: C, - pub u: Vec, - pub r_u: C::ScalarField, -} - -#[derive(Debug, Clone, Eq, PartialEq)] -pub struct Params { - pub h: C, - pub generators: Vec, -} - -#[derive(Debug, Clone, Eq, PartialEq)] -pub struct Pedersen { - _c: PhantomData, -} - -impl Pedersen { - pub fn new_params(rng: &mut R, max: usize) -> Params { - let generators: Vec = std::iter::repeat_with(|| C::Affine::rand(rng)) - .take(max.next_power_of_two()) - .collect(); - let params: Params = Params:: { - h: C::rand(rng), - generators, - }; - params - } - - pub fn commit( - params: &Params, - v: &Vec, - r: &C::ScalarField, - ) -> Result { - if params.generators.len() < v.len() { - return Err(Error::PedersenParamsLen(params.generators.len(), v.len())); - } - // h⋅r + - // use msm_unchecked because we already ensured at the if that lengths match - Ok(params.h.mul(r) + C::msm_unchecked(¶ms.generators[..v.len()], v)) - } - - pub fn prove( - params: &Params, - transcript: &mut impl Transcript, - cm: &C, - v: &Vec, - r: &C::ScalarField, - ) -> Result, Error> { - if params.generators.len() < v.len() { - return Err(Error::PedersenParamsLen(params.generators.len(), v.len())); - } - - transcript.absorb_point(cm)?; - let r1 = transcript.get_challenge(); - let d = transcript.get_challenges(v.len()); - - // R = h⋅r_1 + - // use msm_unchecked because we already ensured at the if that lengths match - let R: C = params.h.mul(r1) + C::msm_unchecked(¶ms.generators[..d.len()], &d); - - transcript.absorb_point(&R)?; - let e = transcript.get_challenge(); - - // u = d + v⋅e - let u = vec_add(&vec_scalar_mul(v, &e), &d)?; - // r_u = e⋅r + r_1 - let r_u = e * r + r1; - - Ok(Proof:: { R, u, r_u }) - } - - pub fn verify( - params: &Params, - transcript: &mut impl Transcript, - cm: C, - proof: Proof, - ) -> Result<(), Error> { - if params.generators.len() < proof.u.len() { - return Err(Error::PedersenParamsLen( - params.generators.len(), - proof.u.len(), - )); - } - - transcript.absorb_point(&cm)?; - transcript.get_challenge(); // r_1 - transcript.get_challenges(proof.u.len()); // d - transcript.absorb_point(&proof.R)?; - let e = transcript.get_challenge(); - - // check that: R + cm == h⋅r_u + - let lhs = proof.R + cm.mul(e); - // use msm_unchecked because we already ensured at the if that lengths match - let rhs = params.h.mul(proof.r_u) - + C::msm_unchecked(¶ms.generators[..proof.u.len()], &proof.u); - if lhs != rhs { - return Err(Error::PedersenVerificationFail); - } - Ok(()) - } -} - -pub type CF = <::BaseField as Field>::BasePrimeField; - -pub struct PedersenGadget -where - C: CurveGroup, - GC: CurveVar>, -{ - _cf: PhantomData>, - _c: PhantomData, - _gc: PhantomData, -} - -impl PedersenGadget -where - C: CurveGroup, - GC: CurveVar>, - - ::BaseField: ark_ff::PrimeField, - for<'a> &'a GC: GroupOpsBounds<'a, C, GC>, -{ - pub fn commit( - h: GC, - g: Vec, - v: Vec>>>, - r: Vec>>, - ) -> Result { - let mut res = GC::zero(); - res += h.scalar_mul_le(r.iter())?; - for (i, v_i) in v.iter().enumerate() { - res += g[i].scalar_mul_le(v_i.iter())?; - } - Ok(res) - } -} - -#[cfg(test)] -mod tests { - use ark_ff::{BigInteger, PrimeField}; - use ark_pallas::{constraints::GVar, Fq, Fr, Projective}; - use ark_r1cs_std::{alloc::AllocVar, bits::boolean::Boolean, eq::EqGadget}; - use ark_relations::r1cs::ConstraintSystem; - use ark_std::UniformRand; - - use super::*; - use crate::transcript::poseidon::{tests::poseidon_test_config, PoseidonTranscript}; - - #[test] - fn test_pedersen_vector() { - let mut rng = ark_std::test_rng(); - - const n: usize = 10; - // setup params - let params = Pedersen::::new_params(&mut rng, n); - let poseidon_config = poseidon_test_config::(); - - // init Prover's transcript - let mut transcript_p = PoseidonTranscript::::new(&poseidon_config); - // init Verifier's transcript - let mut transcript_v = PoseidonTranscript::::new(&poseidon_config); - - let v: Vec = std::iter::repeat_with(|| Fr::rand(&mut rng)) - .take(n) - .collect(); - let r: Fr = Fr::rand(&mut rng); - let cm = Pedersen::::commit(¶ms, &v, &r).unwrap(); - let proof = Pedersen::::prove(¶ms, &mut transcript_p, &cm, &v, &r).unwrap(); - Pedersen::::verify(¶ms, &mut transcript_v, cm, proof).unwrap(); - } - - #[test] - fn test_pedersen_circuit() { - let mut rng = ark_std::test_rng(); - - const n: usize = 10; - // setup params - let params = Pedersen::::new_params(&mut rng, n); - - let v: Vec = std::iter::repeat_with(|| Fr::rand(&mut rng)) - .take(n) - .collect(); - let r: Fr = Fr::rand(&mut rng); - let cm = Pedersen::::commit(¶ms, &v, &r).unwrap(); - - // circuit - let cs = ConstraintSystem::::new_ref(); - - let v_bits: Vec> = v.iter().map(|val| val.into_bigint().to_bits_le()).collect(); - let r_bits: Vec = r.into_bigint().to_bits_le(); - - // prepare inputs - let vVar: Vec>> = v_bits - .iter() - .map(|val_bits| { - Vec::>::new_witness(cs.clone(), || Ok(val_bits.clone())).unwrap() - }) - .collect(); - let rVar = Vec::>::new_witness(cs.clone(), || Ok(r_bits)).unwrap(); - let gVar = Vec::::new_witness(cs.clone(), || Ok(params.generators)).unwrap(); - let hVar = GVar::new_witness(cs.clone(), || Ok(params.h)).unwrap(); - let expected_cmVar = GVar::new_witness(cs.clone(), || Ok(cm)).unwrap(); - - // use the gadget - let cmVar = PedersenGadget::::commit(hVar, gVar, vVar, rVar).unwrap(); - cmVar.enforce_equal(&expected_cmVar).unwrap(); - } -} diff --git a/src/commitment/kzg.rs b/src/commitment/kzg.rs new file mode 100644 index 00000000..beaf3dad --- /dev/null +++ b/src/commitment/kzg.rs @@ -0,0 +1,234 @@ +/// Adaptation of the prover methods and structs from arkworks/poly-commit's KZG10 implementation +/// into the CommitmentProver trait. +/// +/// The motivation to do so, is that we want to be able to use KZG / Pedersen for committing to +/// vectors indistinctly, and the arkworks KZG10 implementation contains all the methods under the +/// same trait, which requires the Pairing trait, where the prover does not need access to the +/// Pairing but only to G1. +/// For our case, we want the folding schemes prover to be agnostic to pairings, since in the +/// non-ethereum cases we may use non-pairing-friendly curves with Pedersen commitments, so the +/// trait & types that we use should not depend on the Pairing type for the prover. Therefore, we +/// separate the CommitmentSchemeProver from the setup and verify phases, so the prover can be +/// defined without depending on pairings. +use ark_ec::{pairing::Pairing, CurveGroup, VariableBaseMSM}; +use ark_ff::PrimeField; +use ark_poly::{ + univariate::{DenseOrSparsePolynomial, DensePolynomial}, + DenseUVPolynomial, EvaluationDomain, Evaluations, GeneralEvaluationDomain, Polynomial, +}; +use ark_poly_commit::kzg10::{VerifierKey, KZG10}; +use ark_std::rand::Rng; +use ark_std::{borrow::Cow, fmt::Debug}; +use ark_std::{One, Zero}; +use core::marker::PhantomData; +use rayon::iter::{IntoParallelRefIterator, ParallelIterator}; + +use super::CommitmentProver; +use crate::transcript::Transcript; +use crate::Error; + +/// ProverKey defines a similar struct as in ark_poly_commit::kzg10::Powers, but instead of +/// depending on the Pairing trait it depends on the CurveGroup trait. +#[derive(Debug, Clone, Default, Eq, PartialEq)] +pub struct ProverKey<'a, C: CurveGroup> { + /// Group elements of the form `β^i G`, for different values of `i`. + pub powers_of_g: Cow<'a, [C::Affine]>, +} + +pub struct KZGSetup { + _p: PhantomData

, +} +impl<'a, P> KZGSetup

+where + P: Pairing, +{ + /// setup returns the tuple (ProverKey, VerifierKey). For real world deployments the setup must + /// be computed in the most trustless way possible, usually through a MPC ceremony. + pub fn setup(rng: &mut R, len: usize) -> (ProverKey<'a, P::G1>, VerifierKey

) { + let len = len.next_power_of_two(); + let universal_params = KZG10::>::setup(len, false, rng) + .expect("Setup failed"); + let powers_of_g = universal_params.powers_of_g[..=len].to_vec(); + let powers = ProverKey:: { + powers_of_g: ark_std::borrow::Cow::Owned(powers_of_g), + }; + let vk = VerifierKey { + g: universal_params.powers_of_g[0], + gamma_g: universal_params.powers_of_gamma_g[&0], + h: universal_params.h, + beta_h: universal_params.beta_h, + prepared_h: universal_params.prepared_h.clone(), + prepared_beta_h: universal_params.prepared_beta_h.clone(), + }; + (powers, vk) + } +} + +/// KZGProver implements the CommitmentProver trait for the KZG commitment scheme. +pub struct KZGProver<'a, C: CurveGroup> { + _a: PhantomData<&'a ()>, + _c: PhantomData, +} +impl<'a, C> CommitmentProver for KZGProver<'a, C> +where + C: CurveGroup, +{ + type Params = ProverKey<'a, C>; + /// Proof is a tuple containing (evaluation, proof) + type Proof = (C::ScalarField, C); + + /// commit implements the CommitmentProver commit interface, adapting the implementation from + /// https://github.com/arkworks-rs/poly-commit/tree/c724fa666e935bbba8db5a1421603bab542e15ab/poly-commit/src/kzg10/mod.rs#L178 + /// with the main difference being the removal of the blinding factors and the no-dependancy to + /// the Pairing trait. + fn commit( + params: &Self::Params, + v: &[C::ScalarField], + _blind: &C::ScalarField, + ) -> Result { + if !_blind.is_zero() { + return Err(Error::NotSupportedYet("blinding factors".to_string())); + } + + let polynomial = poly_from_vec(v.to_vec())?; + check_degree_is_too_large(polynomial.degree(), params.powers_of_g.len())?; + + let (num_leading_zeros, plain_coeffs) = + skip_first_zero_coeffs_and_convert_to_bigints(&polynomial); + let commitment = ::msm_bigint( + ¶ms.powers_of_g[num_leading_zeros..], + &plain_coeffs, + ); + Ok(commitment) + } + + /// prove implements the CommitmentProver prove interface, adapting the implementation from + /// https://github.com/arkworks-rs/poly-commit/tree/c724fa666e935bbba8db5a1421603bab542e15ab/poly-commit/src/kzg10/mod.rs#L307 + /// with the main difference being the removal of the blinding factors and the no-dependancy to + /// the Pairing trait. + fn prove( + params: &Self::Params, + transcript: &mut impl Transcript, + cm: &C, + v: &[C::ScalarField], + _blind: &C::ScalarField, + ) -> Result { + if !_blind.is_zero() { + return Err(Error::NotSupportedYet("blinding factors".to_string())); + } + + let polynomial = poly_from_vec(v.to_vec())?; + check_degree_is_too_large(polynomial.degree(), params.powers_of_g.len())?; + + transcript.absorb_point(cm)?; + let challenge = transcript.get_challenge(); + + // Compute q(x) = (p(x) - p(z)) / (x-z). Observe that this quotient does not change with z + // because p(z) is the remainder term. We can therefore omit p(z) when computing the + // quotient. + let divisor = DensePolynomial::::from_coefficients_vec(vec![ + -challenge, + C::ScalarField::one(), + ]); + let (witness_poly, remainder_poly) = DenseOrSparsePolynomial::from(&polynomial) + .divide_with_q_and_r(&DenseOrSparsePolynomial::from(&divisor)) + // the panic inside `divide_with_q_and_r` should never be reached, since the divisor + // polynomial is constructed right before and is set to not be zero. And the `.unwrap` + // should not give an error. + .unwrap(); + let evaluation = remainder_poly[0]; + + check_degree_is_too_large(witness_poly.degree(), params.powers_of_g.len())?; + let (num_leading_zeros, witness_coeffs) = + skip_first_zero_coeffs_and_convert_to_bigints(&witness_poly); + let proof = ::msm_bigint( + ¶ms.powers_of_g[num_leading_zeros..], + &witness_coeffs, + ); + + Ok((evaluation, proof)) + } +} + +/// returns the interpolated polynomial of degree=v.len().next_power_of_two(), which passes through all +/// the given elements of v. +fn poly_from_vec(v: Vec) -> Result, Error> { + let D = GeneralEvaluationDomain::::new(v.len()).ok_or(Error::NewDomainFail)?; + Ok(Evaluations::from_vec_and_domain(v, D).interpolate()) +} + +fn check_degree_is_too_large( + degree: usize, + num_powers: usize, +) -> Result<(), ark_poly_commit::error::Error> { + let num_coefficients = degree + 1; + if num_coefficients > num_powers { + Err(ark_poly_commit::error::Error::TooManyCoefficients { + num_coefficients, + num_powers, + }) + } else { + Ok(()) + } +} + +fn skip_first_zero_coeffs_and_convert_to_bigints>( + p: &P, +) -> (usize, Vec) { + let mut num_leading_zeros = 0; + while num_leading_zeros < p.coeffs().len() && p.coeffs()[num_leading_zeros].is_zero() { + num_leading_zeros += 1; + } + let coeffs = convert_to_bigints(&p.coeffs()[num_leading_zeros..]); + (num_leading_zeros, coeffs) +} + +fn convert_to_bigints(p: &[F]) -> Vec { + ark_std::cfg_iter!(p) + .map(|s| s.into_bigint()) + .collect::>() +} + +#[cfg(test)] +mod tests { + use ark_bn254::{Bn254, Fr, G1Projective as G1}; + use ark_poly_commit::kzg10::{Commitment as KZG10Commitment, Proof as KZG10Proof, KZG10}; + use ark_std::{test_rng, UniformRand}; + + use super::*; + use crate::transcript::poseidon::{tests::poseidon_test_config, PoseidonTranscript}; + + #[test] + fn test_kzg_commitment_scheme() { + let rng = &mut test_rng(); + let poseidon_config = poseidon_test_config::(); + let transcript_p = &mut PoseidonTranscript::::new(&poseidon_config); + let transcript_v = &mut PoseidonTranscript::::new(&poseidon_config); + + let n = 10; + let (pk, vk): (ProverKey, VerifierKey) = KZGSetup::::setup(rng, n); + + let v: Vec = std::iter::repeat_with(|| Fr::rand(rng)).take(n).collect(); + let cm = KZGProver::::commit(&pk, &v, &Fr::zero()).unwrap(); + + let (eval, proof) = + KZGProver::::prove(&pk, transcript_p, &cm, &v, &Fr::zero()).unwrap(); + + // verify the proof: + // get evaluation challenge + transcript_v.absorb_point(&cm).unwrap(); + let challenge = transcript_v.get_challenge(); + // verify the KZG proof using arkworks method + assert!(KZG10::>::check( + &vk, + &KZG10Commitment(cm.into_affine()), + challenge, + eval, + &KZG10Proof:: { + w: proof.into_affine(), + random_v: None, + }, + ) + .unwrap()); + } +} diff --git a/src/commitment/mod.rs b/src/commitment/mod.rs new file mode 100644 index 00000000..a8ef24b5 --- /dev/null +++ b/src/commitment/mod.rs @@ -0,0 +1,127 @@ +use ark_ec::CurveGroup; +use ark_std::fmt::Debug; + +use crate::transcript::Transcript; +use crate::Error; + +pub mod kzg; +pub mod pedersen; + +/// CommitmentProver defines the vector commitment scheme prover trait. +pub trait CommitmentProver { + type Params: Debug; + type Proof: Debug; + + fn commit( + params: &Self::Params, + v: &[C::ScalarField], + blind: &C::ScalarField, + ) -> Result; + fn prove( + params: &Self::Params, + transcript: &mut impl Transcript, + cm: &C, + v: &[C::ScalarField], + blind: &C::ScalarField, + ) -> Result; +} + +#[cfg(test)] +mod tests { + use super::*; + use ark_bn254::{Bn254, Fr, G1Projective as G1}; + use ark_crypto_primitives::sponge::{poseidon::PoseidonConfig, Absorb}; + use ark_poly::univariate::DensePolynomial; + use ark_poly_commit::kzg10::{ + Commitment as KZG10Commitment, Proof as KZG10Proof, VerifierKey, KZG10, + }; + use ark_std::Zero; + use ark_std::{test_rng, UniformRand}; + + use super::kzg::{KZGProver, KZGSetup, ProverKey}; + use super::pedersen::Pedersen; + use crate::transcript::{ + poseidon::{tests::poseidon_test_config, PoseidonTranscript}, + Transcript, + }; + + // Computes the commitment of the two vectors using the given CommitmentProver, then computes + // their random linear combination, and returns it together with the proof of it. + fn commit_rlc_and_prove>( + poseidon_config: &PoseidonConfig, + params: &CP::Params, + r: C::ScalarField, + v_1: &[C::ScalarField], + v_2: &[C::ScalarField], + ) -> Result<(C, CP::Proof), Error> + where + ::ScalarField: Absorb, + { + let cm_1 = CP::commit(params, v_1, &C::ScalarField::zero())?; + let cm_2 = CP::commit(params, v_2, &C::ScalarField::zero())?; + + // random linear combination of the commitment and the witness (vector v) + let cm_3 = cm_1 + cm_2.mul(r); + let v_3: Vec = v_1.iter().zip(v_2).map(|(a, b)| *a + (r * b)).collect(); + + let transcript = &mut PoseidonTranscript::::new(poseidon_config); + let proof = CP::prove(params, transcript, &cm_3, &v_3, &C::ScalarField::zero()).unwrap(); + + Ok((cm_3, proof)) + } + + #[test] + fn test_homomorphic_property_using_CommitmentProver_trait() { + let rng = &mut test_rng(); + let poseidon_config = poseidon_test_config::(); + let n: usize = 100; + + // set random vector for the test + let v_1: Vec = std::iter::repeat_with(|| Fr::rand(rng)).take(n).collect(); + let v_2: Vec = std::iter::repeat_with(|| Fr::rand(rng)).take(n).collect(); + // set a random challenge for the random linear combination + let r = Fr::rand(rng); + + // setup params for Pedersen & KZG + let pedersen_params = Pedersen::::new_params(rng, n); + let (kzg_pk, kzg_vk): (ProverKey, VerifierKey) = + KZGSetup::::setup(rng, n); + + // Pedersen commit the two vectors and return their random linear combination and proof + let (pedersen_cm, pedersen_proof) = commit_rlc_and_prove::>( + &poseidon_config, + &pedersen_params, + r, + &v_1, + &v_2, + ) + .unwrap(); + + // KZG commit the two vectors and return their random linear combination and proof + let (kzg_cm, kzg_proof) = + commit_rlc_and_prove::>(&poseidon_config, &kzg_pk, r, &v_1, &v_2) + .unwrap(); + + // verify Pedersen + let transcript_v = &mut PoseidonTranscript::::new(&poseidon_config); + Pedersen::::verify(&pedersen_params, transcript_v, pedersen_cm, pedersen_proof) + .unwrap(); + + // verify KZG + let transcript_v = &mut PoseidonTranscript::::new(&poseidon_config); + transcript_v.absorb_point(&kzg_cm).unwrap(); + let challenge = transcript_v.get_challenge(); + // verify the KZG proof using arkworks method + assert!(KZG10::>::check( + &kzg_vk, + &KZG10Commitment(kzg_cm.into_affine()), + challenge, + kzg_proof.0, // eval + &KZG10Proof:: { + w: kzg_proof.1.into_affine(), // proof + random_v: None, + }, + ) + .unwrap()); + } +} diff --git a/src/commitment/pedersen.rs b/src/commitment/pedersen.rs new file mode 100644 index 00000000..b711cc8b --- /dev/null +++ b/src/commitment/pedersen.rs @@ -0,0 +1,229 @@ +use ark_ec::CurveGroup; +use ark_ff::Field; +use ark_r1cs_std::{boolean::Boolean, groups::GroupOpsBounds, prelude::CurveVar}; +use ark_relations::r1cs::SynthesisError; +use ark_std::{rand::Rng, UniformRand}; +use core::marker::PhantomData; + +use super::CommitmentProver; +use crate::transcript::Transcript; +use crate::utils::vec::{vec_add, vec_scalar_mul}; +use crate::Error; + +#[derive(Debug, Clone, Eq, PartialEq)] +pub struct Proof { + pub R: C, + pub u: Vec, + pub r_u: C::ScalarField, +} + +#[derive(Debug, Clone, Eq, PartialEq)] +pub struct Params { + pub h: C, + pub generators: Vec, +} + +#[derive(Debug, Clone, Eq, PartialEq)] +pub struct Pedersen { + _c: PhantomData, +} + +impl Pedersen { + pub fn new_params(rng: &mut R, max: usize) -> Params { + let generators: Vec = std::iter::repeat_with(|| C::Affine::rand(rng)) + .take(max.next_power_of_two()) + .collect(); + let params: Params = Params:: { + h: C::rand(rng), + generators, + }; + params + } +} + +// implement the CommitmentProver trait for Pedersen +impl CommitmentProver for Pedersen { + type Params = Params; + type Proof = Proof; + fn commit( + params: &Self::Params, + v: &[C::ScalarField], + r: &C::ScalarField, // blinding factor + ) -> Result { + if params.generators.len() < v.len() { + return Err(Error::PedersenParamsLen(params.generators.len(), v.len())); + } + // h⋅r + + // use msm_unchecked because we already ensured at the if that lengths match + Ok(params.h.mul(r) + C::msm_unchecked(¶ms.generators[..v.len()], v)) + } + + fn prove( + params: &Params, + transcript: &mut impl Transcript, + cm: &C, + v: &[C::ScalarField], + r: &C::ScalarField, // blinding factor + ) -> Result { + if params.generators.len() < v.len() { + return Err(Error::PedersenParamsLen(params.generators.len(), v.len())); + } + + transcript.absorb_point(cm)?; + let r1 = transcript.get_challenge(); + let d = transcript.get_challenges(v.len()); + + // R = h⋅r_1 + + // use msm_unchecked because we already ensured at the if that lengths match + let R: C = params.h.mul(r1) + C::msm_unchecked(¶ms.generators[..d.len()], &d); + + transcript.absorb_point(&R)?; + let e = transcript.get_challenge(); + + // u = d + v⋅e + let u = vec_add(&vec_scalar_mul(v, &e), &d)?; + // r_u = e⋅r + r_1 + let r_u = e * r + r1; + + Ok(Self::Proof { R, u, r_u }) + } +} + +impl Pedersen { + pub fn verify( + params: &Params, + transcript: &mut impl Transcript, + cm: C, + proof: Proof, + ) -> Result<(), Error> { + if params.generators.len() < proof.u.len() { + return Err(Error::PedersenParamsLen( + params.generators.len(), + proof.u.len(), + )); + } + + transcript.absorb_point(&cm)?; + transcript.get_challenge(); // r_1 + transcript.get_challenges(proof.u.len()); // d + transcript.absorb_point(&proof.R)?; + let e = transcript.get_challenge(); + + // check that: R + cm⋅e == h⋅r_u + + let lhs = proof.R + cm.mul(e); + // use msm_unchecked because we already ensured at the if that lengths match + let rhs = params.h.mul(proof.r_u) + + C::msm_unchecked(¶ms.generators[..proof.u.len()], &proof.u); + if lhs != rhs { + return Err(Error::CommitmentVerificationFail); + } + Ok(()) + } +} + +pub type CF = <::BaseField as Field>::BasePrimeField; + +pub struct PedersenGadget +where + C: CurveGroup, + GC: CurveVar>, +{ + _cf: PhantomData>, + _c: PhantomData, + _gc: PhantomData, +} + +impl PedersenGadget +where + C: CurveGroup, + GC: CurveVar>, + + ::BaseField: ark_ff::PrimeField, + for<'a> &'a GC: GroupOpsBounds<'a, C, GC>, +{ + pub fn commit( + h: GC, + g: Vec, + v: Vec>>>, + r: Vec>>, + ) -> Result { + let mut res = GC::zero(); + res += h.scalar_mul_le(r.iter())?; + for (i, v_i) in v.iter().enumerate() { + res += g[i].scalar_mul_le(v_i.iter())?; + } + Ok(res) + } +} + +#[cfg(test)] +mod tests { + use ark_ff::{BigInteger, PrimeField}; + use ark_pallas::{constraints::GVar, Fq, Fr, Projective}; + use ark_r1cs_std::{alloc::AllocVar, bits::boolean::Boolean, eq::EqGadget}; + use ark_relations::r1cs::ConstraintSystem; + use ark_std::UniformRand; + + use super::*; + use crate::transcript::poseidon::{tests::poseidon_test_config, PoseidonTranscript}; + + #[test] + fn test_pedersen_vector() { + let mut rng = ark_std::test_rng(); + + let n: usize = 10; + // setup params + let params = Pedersen::::new_params(&mut rng, n); + let poseidon_config = poseidon_test_config::(); + + // init Prover's transcript + let mut transcript_p = PoseidonTranscript::::new(&poseidon_config); + // init Verifier's transcript + let mut transcript_v = PoseidonTranscript::::new(&poseidon_config); + + let v: Vec = std::iter::repeat_with(|| Fr::rand(&mut rng)) + .take(n) + .collect(); + let r: Fr = Fr::rand(&mut rng); + let cm = Pedersen::::commit(¶ms, &v, &r).unwrap(); + let proof = Pedersen::::prove(¶ms, &mut transcript_p, &cm, &v, &r).unwrap(); + Pedersen::::verify(¶ms, &mut transcript_v, cm, proof).unwrap(); + } + + #[test] + fn test_pedersen_circuit() { + let mut rng = ark_std::test_rng(); + + let n: usize = 10; + // setup params + let params = Pedersen::::new_params(&mut rng, n); + + let v: Vec = std::iter::repeat_with(|| Fr::rand(&mut rng)) + .take(n) + .collect(); + let r: Fr = Fr::rand(&mut rng); + let cm = Pedersen::::commit(¶ms, &v, &r).unwrap(); + + // circuit + let cs = ConstraintSystem::::new_ref(); + + let v_bits: Vec> = v.iter().map(|val| val.into_bigint().to_bits_le()).collect(); + let r_bits: Vec = r.into_bigint().to_bits_le(); + + // prepare inputs + let vVar: Vec>> = v_bits + .iter() + .map(|val_bits| { + Vec::>::new_witness(cs.clone(), || Ok(val_bits.clone())).unwrap() + }) + .collect(); + let rVar = Vec::>::new_witness(cs.clone(), || Ok(r_bits)).unwrap(); + let gVar = Vec::::new_witness(cs.clone(), || Ok(params.generators)).unwrap(); + let hVar = GVar::new_witness(cs.clone(), || Ok(params.h)).unwrap(); + let expected_cmVar = GVar::new_witness(cs.clone(), || Ok(cm)).unwrap(); + + // use the gadget + let cmVar = PedersenGadget::::commit(hVar, gVar, vVar, rVar).unwrap(); + cmVar.enforce_equal(&expected_cmVar).unwrap(); + } +}