From 4b160ca9693daaf0c57acbc7d571301d7cb1203f Mon Sep 17 00:00:00 2001 From: Ray Gao Date: Thu, 5 Dec 2024 03:11:24 -0500 Subject: [PATCH] Adapt proving methods onto SumcheckInstanceProof. Remove ZK proof struct. --- spartan_parallel/src/dense_mlpoly.rs | 6 +- spartan_parallel/src/r1csproof.rs | 16 +-- spartan_parallel/src/sumcheck.rs | 188 +++------------------------ 3 files changed, 27 insertions(+), 183 deletions(-) diff --git a/spartan_parallel/src/dense_mlpoly.rs b/spartan_parallel/src/dense_mlpoly.rs index 9ef128b2..c2253269 100644 --- a/spartan_parallel/src/dense_mlpoly.rs +++ b/spartan_parallel/src/dense_mlpoly.rs @@ -3,9 +3,9 @@ use crate::scalar::SpartanExtensionField; use super::errors::ProofVerifyError; use super::math::Math; -use super::nizk::DotProductProofLog; use super::random::RandomTape; use super::transcript::ProofTranscript; +use super::unipoly::CompressedUniPoly; use core::ops::Index; use merlin::Transcript; use serde::{Deserialize, Serialize}; @@ -309,9 +309,9 @@ impl Index for DensePolynomial { } } -#[derive(Clone, Debug, Serialize, Deserialize)] +#[derive(Debug, Serialize, Deserialize)] pub struct PolyEvalProof { - proof: DotProductProofLog, + polys: Vec>, } impl PolyEvalProof { diff --git a/spartan_parallel/src/r1csproof.rs b/spartan_parallel/src/r1csproof.rs index 5cd1e650..50bff1e0 100644 --- a/spartan_parallel/src/r1csproof.rs +++ b/spartan_parallel/src/r1csproof.rs @@ -3,10 +3,9 @@ use super::custom_dense_mlpoly::DensePolynomialPqx; use super::dense_mlpoly::{DensePolynomial, EqPolynomial, PolyEvalProof}; use super::errors::ProofVerifyError; use super::math::Math; -use super::nizk::{EqualityProof, KnowledgeProof, ProductProof}; use super::r1csinstance::R1CSInstance; use super::random::RandomTape; -use super::sumcheck::R1CSSumcheckInstanceProof; +use super::sumcheck::SumcheckInstanceProof; use super::timer::Timer; use super::transcript::ProofTranscript; use crate::scalar::SpartanExtensionField; @@ -17,8 +16,8 @@ use std::cmp::min; #[derive(Serialize, Deserialize, Debug)] pub struct R1CSProof { - sc_proof_phase1: R1CSSumcheckInstanceProof, - sc_proof_phase2: R1CSSumcheckInstanceProof, + sc_proof_phase1: SumcheckInstanceProof, + sc_proof_phase2: SumcheckInstanceProof, pok_claims_phase2: (KnowledgeProof, ProductProof), proof_eq_sc_phase1: EqualityProof, proof_eq_sc_phase2: EqualityProof, @@ -41,13 +40,13 @@ impl R1CSProof { evals_Cz: &mut DensePolynomialPqx, transcript: &mut Transcript, random_tape: &mut RandomTape, - ) -> (R1CSSumcheckInstanceProof, Vec, Vec) { + ) -> (SumcheckInstanceProof, Vec, Vec) { let comb_func = |poly_A_comp: &S, poly_B_comp: &S, poly_C_comp: &S, poly_D_comp: &S| -> S { *poly_A_comp * (*poly_B_comp * *poly_C_comp - *poly_D_comp) }; let (sc_proof_phase_one, r, claims) = - R1CSSumcheckInstanceProof::::prove_cubic_with_additive_term_disjoint_rounds( + SumcheckInstanceProof::::prove_cubic_with_additive_term_disjoint_rounds( &S::field_zero(), // claim is zero num_rounds, num_rounds_x_max, @@ -83,12 +82,12 @@ impl R1CSProof { evals_z: &mut DensePolynomialPqx, transcript: &mut Transcript, random_tape: &mut RandomTape, - ) -> (R1CSSumcheckInstanceProof, Vec, Vec) { + ) -> (SumcheckInstanceProof, Vec, Vec) { let comb_func = |poly_A_comp: &S, poly_B_comp: &S, poly_C_comp: &S| -> S { *poly_A_comp * *poly_B_comp * *poly_C_comp }; let (sc_proof_phase_two, r, claims) = - R1CSSumcheckInstanceProof::::prove_cubic_disjoint_rounds( + SumcheckInstanceProof::::prove_cubic_disjoint_rounds( claim, num_rounds, num_rounds_y_max, @@ -102,7 +101,6 @@ impl R1CSProof { evals_z, comb_func, transcript, - random_tape, ); (sc_proof_phase_two, r, claims) diff --git a/spartan_parallel/src/sumcheck.rs b/spartan_parallel/src/sumcheck.rs index a3b891a9..36295c27 100644 --- a/spartan_parallel/src/sumcheck.rs +++ b/spartan_parallel/src/sumcheck.rs @@ -6,7 +6,6 @@ use crate::scalar::SpartanExtensionField; use super::dense_mlpoly::DensePolynomial; use super::errors::ProofVerifyError; -use super::nizk::DotProductProof; use super::random::RandomTape; use super::transcript::{AppendToTranscript, ProofTranscript}; use super::unipoly::{CompressedUniPoly, UniPoly}; @@ -70,67 +69,6 @@ impl SumcheckInstanceProof { } } -#[derive(Serialize, Deserialize, Debug)] -pub struct R1CSSumcheckInstanceProof { - proofs: Vec>, -} - -impl R1CSSumcheckInstanceProof { - pub fn new(proofs: Vec>) -> Self { - R1CSSumcheckInstanceProof { proofs } - } - - pub fn verify( - &self, - num_rounds: usize, - degree_bound: usize, - transcript: &mut Transcript, - ) -> Result, ProofVerifyError> { - let mut r: Vec = Vec::new(); - - for i in 0..num_rounds { - // derive the verifier's challenge for the next round - let r_i = transcript.challenge_scalar(b"challenge_nextround"); - - // verify the proof of sum-check and evals - let _res = { - // produce two weights - let w: Vec = transcript.challenge_vector(b"combine_two_claims_to_one", 2); - - let a = { - // the vector to use to decommit for sum-check test - let a_sc = { - let mut a = vec![S::field_one(); degree_bound + 1]; - a[0] = a[0] + S::field_one(); - a - }; - - // the vector to use to decommit for evaluation - let a_eval = { - let mut a = vec![S::field_one(); degree_bound + 1]; - for j in 1..a.len() { - a[j] = a[j - 1] * r_i; - } - a - }; - - // take weighted sum of the two vectors using w - assert_eq!(a_sc.len(), a_eval.len()); - (0..a_sc.len()) - .map(|i| w[0] * a_sc[i] + w[1] * a_eval[i]) - .collect::>() - }; - - self.proofs[i].verify(transcript, &a).is_ok() - }; - - r.push(r_i); - } - - Ok(r) - } -} - impl SumcheckInstanceProof { pub fn prove_cubic( claim: &S, @@ -379,9 +317,7 @@ impl SumcheckInstanceProof { claims_dotp, ) } -} -impl R1CSSumcheckInstanceProof { pub fn prove_cubic_disjoint_rounds( claim: &S, num_rounds: usize, @@ -396,7 +332,6 @@ impl R1CSSumcheckInstanceProof { poly_C: &mut DensePolynomialPqx, comb_func: F, transcript: &mut Transcript, - random_tape: &mut RandomTape, ) -> (Self, Vec, Vec) where F: Fn(&S, &S, &S) -> S, @@ -410,7 +345,7 @@ impl R1CSSumcheckInstanceProof { let mut claim_per_round = *claim; let mut r: Vec = Vec::new(); - let mut proofs: Vec> = Vec::new(); + let mut cubic_polys: Vec> = Vec::new(); let mut inputs_len = num_rounds_y_max.pow2(); let mut witness_secs_len = num_rounds_w.pow2(); @@ -540,8 +475,12 @@ impl R1CSSumcheckInstanceProof { poly }; + // append the prover's message to the transcript + poly.append_to_transcript(b"poly", transcript); + //derive the verifier's challenge for the next round let r_j = transcript.challenge_scalar(b"challenge_nextround"); + r.push(r_j); // bound all tables to the verifier's challenege if mode == MODE_P { @@ -552,61 +491,12 @@ impl R1CSSumcheckInstanceProof { } poly_C.bound_poly(&r_j, mode); - // produce a proof of sum-check and of evaluation - let (proof, claim_next_round) = { - let eval = poly.evaluate(&r_j); - - // we need to prove the following under homomorphic commitments: - // (1) poly(0) + poly(1) = claim_per_round - // (2) poly(r_j) = eval - - // Our technique is to leverage dot product proofs: - // (1) we can prove: = claim_per_round - // (2) we can prove: = transcript.challenge_vector(b"combine_two_claims_to_one", 2); - - // compute a weighted sum of the RHS - let target = w[0] * claim_per_round + w[1] * eval; - - let a = { - // the vector to use to decommit for sum-check test - let a_sc = { - let mut a = vec![S::field_one(); poly.degree() + 1]; - a[0] = a[0] + S::field_one(); - a - }; - - // the vector to use to decommit for evaluation - let a_eval = { - let mut a = vec![S::field_one(); poly.degree() + 1]; - for j in 1..a.len() { - a[j] = a[j - 1] * r_j; - } - a - }; - - // take weighted sum of the two vectors using w - assert_eq!(a_sc.len(), a_eval.len()); - (0..a_sc.len()) - .map(|i| w[0] * a_sc[i] + w[1] * a_eval[i]) - .collect::>() - }; - - let proof = DotProductProof::prove(transcript, random_tape, &poly.as_vec(), &a, &target); - - (proof, eval) - }; - - proofs.push(proof); - claim_per_round = claim_next_round; - r.push(r_j); + claim_per_round = poly.evaluate(&r_j); + cubic_polys.push(poly.compress()); } ( - R1CSSumcheckInstanceProof::new(proofs), + SumcheckInstanceProof::new(cubic_polys), r, vec![ poly_A[0], @@ -653,7 +543,7 @@ impl R1CSSumcheckInstanceProof { let mut claim_per_round = *claim; let mut r: Vec = Vec::new(); - let mut proofs: Vec> = Vec::new(); + let mut cubic_polys: Vec> = Vec::new(); let mut cons_len = num_rounds_x_max.pow2(); let mut proof_len = num_rounds_q_max.pow2(); @@ -798,8 +688,12 @@ impl R1CSSumcheckInstanceProof { poly }; + // append the prover's message to the transcript + poly.append_to_transcript(b"poly", transcript); + //derive the verifier's challenge for the next round let r_j = transcript.challenge_scalar(b"challenge_nextround"); + r.push(r_j); // bound all tables to the verifier's challenege if mode == 1 { @@ -813,60 +707,12 @@ impl R1CSSumcheckInstanceProof { poly_C.bound_poly(&r_j, mode); poly_D.bound_poly(&r_j, mode); - let (proof, claim_next_round) = { - let eval = poly.evaluate(&r_j); - - // we need to prove the following under homomorphic commitments: - // (1) poly(0) + poly(1) = claim_per_round - // (2) poly(r_j) = eval - - // Our technique is to leverage dot product proofs: - // (1) we can prove: = claim_per_round - // (2) we can prove: = transcript.challenge_vector(b"combine_two_claims_to_one", 2); - - // compute a weighted sum of the RHS - let target = w[0] * claim_per_round + w[1] * eval; - - let a = { - // the vector to use to decommit for sum-check test - let a_sc = { - let mut a = vec![S::field_one(); poly.degree() + 1]; - a[0] = a[0] + S::field_one(); - a - }; - - // the vector to use to decommit for evaluation - let a_eval = { - let mut a = vec![S::field_one(); poly.degree() + 1]; - for j in 1..a.len() { - a[j] = a[j - 1] * r_j; - } - a - }; - - // take weighted sum of the two vectors using w - assert_eq!(a_sc.len(), a_eval.len()); - (0..a_sc.len()) - .map(|i| w[0] * a_sc[i] + w[1] * a_eval[i]) - .collect::>() - }; - - let proof = DotProductProof::prove(transcript, random_tape, &poly.as_vec(), &a, &target); - - (proof, eval) - }; - - proofs.push(proof); - claim_per_round = claim_next_round; - r.push(r_j); + claim_per_round = poly.evaluate(&r_j); + cubic_polys.push(poly.compress()); } ( - R1CSSumcheckInstanceProof::new(proofs), + SumcheckInstanceProof::new(cubic_polys), r, vec![ poly_Ap[0] * poly_Aq[0] * poly_Ax[0], @@ -876,4 +722,4 @@ impl R1CSSumcheckInstanceProof { ], ) } -} +} \ No newline at end of file