Merge branch 'feat/goldilocks-spartan' into feat/basefield_backing_ob…

…jects
scroll-tech · Dec 4, 2024 · d746a2d · d746a2d
2 parents 214fe75 + 88029e3
commit d746a2d
Show file tree

Hide file tree

Showing 8 changed files with 41 additions and 92 deletions.
diff --git a/docs/README.md b/docs/README.md
@@ -0,0 +1,10 @@
+# README
+
+- [data parallel variant of spartan](./spartan_parallel.md)
+- [zok format](./zok_format.md)
+- [circ blocks](./circ_blocks.md)
+
+## Hosting
+Since math equations are not rendered well on GitHub, we copied some of the docs to HackMD.
+
+- [spartan_parallel.md](https://hackmd.io/@ceno-zkvm/SyiiVUsmkl)
diff --git a/documentations/circ_blocks.md → docs/circ_blocks.md b/documentations/circ_blocks.md → docs/circ_blocks.md
diff --git a/documentations/spartan_parallel.md → docs/spartan_parallel.md b/documentations/spartan_parallel.md → docs/spartan_parallel.md
diff --git a/documentations/zok_format.md → docs/zok_format.md b/documentations/zok_format.md → docs/zok_format.md
diff --git a/spartan_parallel/src/nizk/mod.rs b/spartan_parallel/src/nizk/mod.rs
@@ -76,7 +76,6 @@ impl<S: SpartanExtensionField> EqualityProof<S> {
     _v1: &S,
     s1: &S,
     _v2: &S,
-    s2: &S,
   ) -> EqualityProof<S> {
     <Transcript as ProofTranscript<S>>::append_protocol_name(
       transcript,
@@ -86,7 +85,7 @@ impl<S: SpartanExtensionField> EqualityProof<S> {
     // produce a random Scalar
     let r = random_tape.random_scalar(b"r");
     let c: S = transcript.challenge_scalar(b"c");
-    let z = c * (*s1 - *s2) + r;
+    let z = c * *s1 + r;
 
     EqualityProof { z }
   }
@@ -193,10 +192,8 @@ impl<S: SpartanExtensionField> DotProductProof<S> {
     transcript: &mut Transcript,
     random_tape: &mut RandomTape<S>,
     x_vec: &[S],
-    blind_x: &S,
     a_vec: &[S],
     _y: &S,
-    blind_y: &S,
   ) -> DotProductProof<S> {
     <Transcript as ProofTranscript<S>>::append_protocol_name(
       transcript,
@@ -220,8 +217,8 @@ impl<S: SpartanExtensionField> DotProductProof<S> {
       .map(|i| c * x_vec[i] + d_vec[i])
       .collect::<Vec<S>>();
 
-    let z_delta = c * *blind_x + r_delta;
-    let z_beta = c * *blind_y + r_beta;
+    let z_delta = c + r_delta;
+    let z_beta = c + r_beta;
 
     DotProductProof { z, z_delta, z_beta }
   }

diff --git a/spartan_parallel/src/r1csproof.rs b/spartan_parallel/src/r1csproof.rs
@@ -6,7 +6,7 @@ use super::math::Math;
 use super::nizk::{EqualityProof, KnowledgeProof, ProductProof};
 use super::r1csinstance::R1CSInstance;
 use super::random::RandomTape;
-use super::sumcheck::ZKSumcheckInstanceProof;
+use super::sumcheck::R1CSSumcheckInstanceProof;
 use super::timer::Timer;
 use super::transcript::ProofTranscript;
 use crate::scalar::SpartanExtensionField;
@@ -17,8 +17,8 @@ use std::cmp::min;
 
 #[derive(Serialize, Deserialize, Debug)]
 pub struct R1CSProof<S: SpartanExtensionField> {
-  sc_proof_phase1: ZKSumcheckInstanceProof<S>,
-  sc_proof_phase2: ZKSumcheckInstanceProof<S>,
+  sc_proof_phase1: R1CSSumcheckInstanceProof<S>,
+  sc_proof_phase2: R1CSSumcheckInstanceProof<S>,
   pok_claims_phase2: (KnowledgeProof<S>, ProductProof<S>),
   proof_eq_sc_phase1: EqualityProof<S>,
   proof_eq_sc_phase2: EqualityProof<S>,
@@ -41,15 +41,14 @@ impl<S: SpartanExtensionField> R1CSProof<S> {
     evals_Cz: &mut DensePolynomialPqx<S>,
     transcript: &mut Transcript,
     random_tape: &mut RandomTape<S>,
-  ) -> (ZKSumcheckInstanceProof<S>, Vec<S>, Vec<S>, S) {
+  ) -> (R1CSSumcheckInstanceProof<S>, Vec<S>, Vec<S>) {
     let comb_func = |poly_A_comp: &S, poly_B_comp: &S, poly_C_comp: &S, poly_D_comp: &S| -> S {
       *poly_A_comp * (*poly_B_comp * *poly_C_comp - *poly_D_comp)
     };
 
-    let (sc_proof_phase_one, r, claims, blind_claim_postsc) =
-      ZKSumcheckInstanceProof::<S>::prove_cubic_with_additive_term_disjoint_rounds(
+    let (sc_proof_phase_one, r, claims) =
+      R1CSSumcheckInstanceProof::<S>::prove_cubic_with_additive_term_disjoint_rounds(
         &S::field_zero(), // claim is zero
-        &S::field_zero(), // blind for claim is also zero
         num_rounds,
         num_rounds_x_max,
         num_rounds_q_max,
@@ -67,7 +66,7 @@ impl<S: SpartanExtensionField> R1CSProof<S> {
         random_tape,
       );
 
-    (sc_proof_phase_one, r, claims, blind_claim_postsc)
+    (sc_proof_phase_one, r, claims)
   }
 
   fn prove_phase_two(
@@ -79,20 +78,18 @@ impl<S: SpartanExtensionField> R1CSProof<S> {
     num_witness_secs: usize,
     num_inputs: Vec<usize>,
     claim: &S,
-    blind_claim: &S,
     evals_eq: &mut DensePolynomial<S>,
     evals_ABC: &mut DensePolynomialPqx<S>,
     evals_z: &mut DensePolynomialPqx<S>,
     transcript: &mut Transcript,
     random_tape: &mut RandomTape<S>,
-  ) -> (ZKSumcheckInstanceProof<S>, Vec<S>, Vec<S>, S) {
+  ) -> (R1CSSumcheckInstanceProof<S>, Vec<S>, Vec<S>) {
     let comb_func = |poly_A_comp: &S, poly_B_comp: &S, poly_C_comp: &S| -> S {
       *poly_A_comp * *poly_B_comp * *poly_C_comp
     };
-    let (sc_proof_phase_two, r, claims, blind_claim_postsc) =
-      ZKSumcheckInstanceProof::<S>::prove_cubic_disjoint_rounds(
+    let (sc_proof_phase_two, r, claims) =
+      R1CSSumcheckInstanceProof::<S>::prove_cubic_disjoint_rounds(
         claim,
-        blind_claim,
         num_rounds,
         num_rounds_y_max,
         num_rounds_w,
@@ -108,7 +105,7 @@ impl<S: SpartanExtensionField> R1CSProof<S> {
         random_tape,
       );
 
-    (sc_proof_phase_two, r, claims, blind_claim_postsc)
+    (sc_proof_phase_two, r, claims)
   }
 
   fn protocol_name() -> &'static [u8] {
@@ -235,7 +232,7 @@ impl<S: SpartanExtensionField> R1CSProof<S> {
 
     // Sumcheck 1: (Az * Bz - Cz) * eq(x, q, p) = 0
     let timer_tmp = Timer::new("prove_sum_check");
-    let (sc_proof_phase1, rx, _claims_phase1, blind_claim_postsc1) = R1CSProof::prove_phase_one(
+    let (sc_proof_phase1, rx, _claims_phase1) = R1CSProof::prove_phase_one(
       num_rounds_x + num_rounds_q + num_rounds_p,
       num_rounds_x,
       num_rounds_q,
@@ -303,7 +300,6 @@ impl<S: SpartanExtensionField> R1CSProof<S> {
       &claim_post_phase1,
       &blind_expected_claim_postsc1,
       &claim_post_phase1,
-      &blind_claim_postsc1,
     );
 
     // Separate the result rx into rp, rq, and rx
@@ -324,7 +320,6 @@ impl<S: SpartanExtensionField> R1CSProof<S> {
     let r_C: S = transcript.challenge_scalar(b"challenge_Cz");
 
     let claim_phase2 = r_A * *Az_claim + r_B * *Bz_claim + r_C * *Cz_claim;
-    let blind_claim_phase2 = r_A * Az_blind + r_B * Bz_blind + r_C * Cz_blind;
 
     let timer_tmp = Timer::new("prove_abc_gen");
     let evals_ABC = {
@@ -380,7 +375,7 @@ impl<S: SpartanExtensionField> R1CSProof<S> {
     let mut eq_p_rp_poly = DensePolynomial::new(EqPolynomial::new(rp).evals());
 
     // Sumcheck 2: (rA + rB + rC) * Z * eq(p) = e
-    let (sc_proof_phase2, ry, claims_phase2, blind_claim_postsc2) = R1CSProof::prove_phase_two(
+    let (sc_proof_phase2, ry, claims_phase2) = R1CSProof::prove_phase_two(
       num_rounds_y + num_rounds_w + num_rounds_p,
       num_rounds_y,
       num_rounds_w,
@@ -389,7 +384,6 @@ impl<S: SpartanExtensionField> R1CSProof<S> {
       num_witness_secs,
       num_inputs.clone(),
       &claim_phase2,
-      &blind_claim_phase2,
       &mut eq_p_rp_poly,
       &mut ABC_poly,
       &mut Z_poly,
@@ -553,7 +547,6 @@ impl<S: SpartanExtensionField> R1CSProof<S> {
       &claim_post_phase2,
       &blind_expected_claim_postsc2,
       &claim_post_phase2,
-      &blind_claim_postsc2,
     );
 
     timer_prove.stop();

diff --git a/spartan_parallel/src/scalar/mod.rs b/spartan_parallel/src/scalar/mod.rs
@@ -13,7 +13,7 @@ use std::{
   cmp::Eq,
   hash::Hash,
   iter::{Product, Sum},
-  ops::{Add, Mul, MulAssign, Neg, Sub},
+  ops::{Add, AddAssign, Mul, MulAssign, Neg, Sub, SubAssign},
 };
 use subtle::{Choice, ConditionallySelectable, ConstantTimeEq, CtOption};
 use zeroize::Zeroize;
@@ -35,6 +35,9 @@ pub trait SpartanExtensionField:
   + Add<Output = Self>
   + Sub<Output = Self>
   + Mul<Output = Self>
+  + AddAssign<Self>
+  + SubAssign<Self>
+  + MulAssign<Self>
   + Sum
   + Product
   + Clone

diff --git a/spartan_parallel/src/sumcheck.rs b/spartan_parallel/src/sumcheck.rs
@@ -71,13 +71,13 @@ impl<S: SpartanExtensionField> SumcheckInstanceProof<S> {
 }
 
 #[derive(Serialize, Deserialize, Debug)]
-pub struct ZKSumcheckInstanceProof<S: SpartanExtensionField> {
+pub struct R1CSSumcheckInstanceProof<S: SpartanExtensionField> {
   proofs: Vec<DotProductProof<S>>,
 }
 
-impl<S: SpartanExtensionField> ZKSumcheckInstanceProof<S> {
+impl<S: SpartanExtensionField> R1CSSumcheckInstanceProof<S> {
   pub fn new(proofs: Vec<DotProductProof<S>>) -> Self {
-    ZKSumcheckInstanceProof { proofs }
+    R1CSSumcheckInstanceProof { proofs }
   }
 
   pub fn verify(
@@ -155,7 +155,7 @@ impl<S: SpartanExtensionField> SumcheckInstanceProof<S> {
       let len = poly_A.len() / 2;
       for i in 0..len {
         // eval 0: bound_func is A(low)
-        eval_point_0 = eval_point_0 + comb_func(&poly_A[i], &poly_B[i], &poly_C[i]);
+        eval_point_0 += comb_func(&poly_A[i], &poly_B[i], &poly_C[i]);
 
         // eval 2: bound_func is -A(low) + 2*A(high)
         let poly_A_bound_point = poly_A[len + i] + poly_A[len + i] - poly_A[i];
@@ -381,10 +381,9 @@ impl<S: SpartanExtensionField> SumcheckInstanceProof<S> {
   }
 }
 
-impl<S: SpartanExtensionField> ZKSumcheckInstanceProof<S> {
+impl<S: SpartanExtensionField> R1CSSumcheckInstanceProof<S> {
   pub fn prove_cubic_disjoint_rounds<F>(
     claim: &S,
-    blind_claim: &S,
     num_rounds: usize,
     num_rounds_y_max: usize,
     num_rounds_w: usize,
@@ -398,7 +397,7 @@ impl<S: SpartanExtensionField> ZKSumcheckInstanceProof<S> {
     comb_func: F,
     transcript: &mut Transcript,
     random_tape: &mut RandomTape<S>,
-  ) -> (Self, Vec<S>, Vec<S>, S)
+  ) -> (Self, Vec<S>, Vec<S>)
   where
     F: Fn(&S, &S, &S) -> S,
   {
@@ -408,11 +407,6 @@ impl<S: SpartanExtensionField> ZKSumcheckInstanceProof<S> {
     // poly_A is the EQ polynomial of size P * W * Y_max
     assert_eq!(num_rounds, num_rounds_y_max + num_rounds_w + num_rounds_p);
 
-    let (blinds_poly, blinds_evals) = (
-      random_tape.random_vector(b"blinds_poly", num_rounds),
-      random_tape.random_vector(b"blinds_evals", num_rounds),
-    );
-
     let mut claim_per_round = *claim;
 
     let mut r: Vec<S> = Vec::new();
@@ -577,18 +571,6 @@ impl<S: SpartanExtensionField> ZKSumcheckInstanceProof<S> {
         // compute a weighted sum of the RHS
         let target = w[0] * claim_per_round + w[1] * eval;
 
-        let blind = {
-          let blind_sc = if j == 0 {
-            blind_claim
-          } else {
-            &blinds_evals[j - 1]
-          };
-
-          let blind_eval = &blinds_evals[j];
-
-          w[0] * *blind_sc + w[1] * *blind_eval
-        };
-
         let a = {
           // the vector to use to decommit for sum-check test
           let a_sc = {
@@ -613,15 +595,7 @@ impl<S: SpartanExtensionField> ZKSumcheckInstanceProof<S> {
             .collect::<Vec<S>>()
         };
 
-        let proof = DotProductProof::prove(
-          transcript,
-          random_tape,
-          &poly.as_vec(),
-          &blinds_poly[j],
-          &a,
-          &target,
-          &blind,
-        );
+        let proof = DotProductProof::prove(transcript, random_tape, &poly.as_vec(), &a, &target);
 
         (proof, eval)
       };
@@ -632,20 +606,18 @@ impl<S: SpartanExtensionField> ZKSumcheckInstanceProof<S> {
     }
 
     (
-      ZKSumcheckInstanceProof::new(proofs),
+      R1CSSumcheckInstanceProof::new(proofs),
       r,
       vec![
         poly_A[0],
         poly_B.index(0, 0, 0, 0),
         poly_C.index(0, 0, 0, 0),
       ],
-      blinds_evals[num_rounds - 1],
     )
   }
 
   pub fn prove_cubic_with_additive_term_disjoint_rounds<F>(
     claim: &S,
-    blind_claim: &S,
     num_rounds: usize,
     num_rounds_x_max: usize,
     num_rounds_q_max: usize,
@@ -661,7 +633,7 @@ impl<S: SpartanExtensionField> ZKSumcheckInstanceProof<S> {
     comb_func: F,
     transcript: &mut Transcript,
     random_tape: &mut RandomTape<S>,
-  ) -> (Self, Vec<S>, Vec<S>, S)
+  ) -> (Self, Vec<S>, Vec<S>)
   where
     F: Fn(&S, &S, &S, &S) -> S,
   {
@@ -678,11 +650,6 @@ impl<S: SpartanExtensionField> ZKSumcheckInstanceProof<S> {
     assert_eq!(poly_C.num_witness_secs, 1);
     assert_eq!(poly_D.num_witness_secs, 1);
 
-    let (blinds_poly, blinds_evals) = (
-      random_tape.random_vector(b"blinds_poly", num_rounds),
-      random_tape.random_vector(b"blinds_evals", num_rounds),
-    );
-
     let mut claim_per_round = *claim;
 
     let mut r: Vec<S> = Vec::new();
@@ -864,18 +831,6 @@ impl<S: SpartanExtensionField> ZKSumcheckInstanceProof<S> {
         // compute a weighted sum of the RHS
         let target = w[0] * claim_per_round + w[1] * eval;
 
-        let blind = {
-          let blind_sc = if j == 0 {
-            blind_claim
-          } else {
-            &blinds_evals[j - 1]
-          };
-
-          let blind_eval = &blinds_evals[j];
-
-          w[0] * *blind_sc + w[1] * *blind_eval
-        };
-
         let a = {
           // the vector to use to decommit for sum-check test
           let a_sc = {
@@ -900,15 +855,7 @@ impl<S: SpartanExtensionField> ZKSumcheckInstanceProof<S> {
             .collect::<Vec<S>>()
         };
 
-        let proof = DotProductProof::prove(
-          transcript,
-          random_tape,
-          &poly.as_vec(),
-          &blinds_poly[j],
-          &a,
-          &target,
-          &blind,
-        );
+        let proof = DotProductProof::prove(transcript, random_tape, &poly.as_vec(), &a, &target);
 
         (proof, eval)
       };
@@ -919,15 +866,14 @@ impl<S: SpartanExtensionField> ZKSumcheckInstanceProof<S> {
     }
 
     (
-      ZKSumcheckInstanceProof::new(proofs),
+      R1CSSumcheckInstanceProof::new(proofs),
       r,
       vec![
         poly_Ap[0] * poly_Aq[0] * poly_Ax[0],
         poly_B.index(0, 0, 0, 0),
         poly_C.index(0, 0, 0, 0),
         poly_D.index(0, 0, 0, 0),
       ],
-      blinds_evals[num_rounds - 1],
     )
   }
 }