From 57d3a1559bc78c148fb18b9fdd6986fb768ba67d Mon Sep 17 00:00:00 2001 From: Hang Su Date: Tue, 18 Feb 2025 23:37:05 -0500 Subject: [PATCH] update - remove zk property, so no ipa no sigma protocol no pedersen hiding... --- poly_commit/benches/hyrax.rs | 4 +- poly_commit/src/hyrax.rs | 3 - poly_commit/src/hyrax/hyrax_impl.rs | 49 ++-- poly_commit/src/hyrax/inner_prod_argument.rs | 213 ------------------ poly_commit/src/hyrax/pcs_for_expander_gkr.rs | 71 ++---- poly_commit/src/hyrax/pcs_trait_impl.rs | 24 +- poly_commit/src/hyrax/pedersen.rs | 34 +-- 7 files changed, 55 insertions(+), 343 deletions(-) delete mode 100644 poly_commit/src/hyrax/inner_prod_argument.rs diff --git a/poly_commit/benches/hyrax.rs b/poly_commit/benches/hyrax.rs index 9021f95f..2b718980 100644 --- a/poly_commit/benches/hyrax.rs +++ b/poly_commit/benches/hyrax.rs @@ -16,7 +16,7 @@ fn hyrax_committing_benchmark_helper( let mut group = c.benchmark_group("Hyrax PCS committing"); let mut rng = test_rng(); - let mut scratch_pad = Vec::new(); + let mut scratch_pad = (); for num_vars in lowest_num_vars..=highest_num_vars { let poly = MultiLinearPoly::::random(num_vars, &mut rng); @@ -57,7 +57,7 @@ fn hyrax_opening_benchmark_helper( let mut rng = test_rng(); let mut transcript = BytesHashTranscript::::new(); - let mut scratch_pad = Vec::new(); + let mut scratch_pad = (); for num_vars in lowest_num_vars..=highest_num_vars { let poly = MultiLinearPoly::::random(num_vars, &mut rng); diff --git a/poly_commit/src/hyrax.rs b/poly_commit/src/hyrax.rs index e46fbb66..5e4d2a89 100644 --- a/poly_commit/src/hyrax.rs +++ b/poly_commit/src/hyrax.rs @@ -1,9 +1,6 @@ mod pedersen; pub use pedersen::PedersenParams; -mod inner_prod_argument; -pub use inner_prod_argument::PedersenIPAProof; - mod hyrax_impl; pub use hyrax_impl::HyraxCommitment; diff --git a/poly_commit/src/hyrax/hyrax_impl.rs b/poly_commit/src/hyrax/hyrax_impl.rs index 0dfb22cb..24a1b341 100644 --- a/poly_commit/src/hyrax/hyrax_impl.rs +++ b/poly_commit/src/hyrax/hyrax_impl.rs @@ -1,12 +1,10 @@ use arith::{ExtensionField, FieldSerde}; use halo2curves::{ff::PrimeField, msm, CurveAffine}; use polynomials::{EqPolynomial, MultiLinearPoly, MultilinearExtension, RefMultiLinearPoly}; -use transcript::Transcript; use crate::hyrax::{ - inner_prod_argument::{pedersen_ipa_prove, pedersen_ipa_verify}, pedersen::{pedersen_commit, pedersen_setup}, - PedersenIPAProof, PedersenParams, + PedersenParams, }; pub(crate) fn hyrax_setup( @@ -41,7 +39,6 @@ impl FieldSerde for HyraxCommitment { pub(crate) fn hyrax_commit( params: &PedersenParams, mle_poly: &impl MultilinearExtension, - randomness: &mut Vec, ) -> HyraxCommitment where C::Scalar: ExtensionField + PrimeField, @@ -52,26 +49,22 @@ where let pedersen_len = 1usize << pedersen_vars; assert_eq!(pedersen_len, params.bases.len()); - let (commitments, rs): (Vec, Vec) = mle_poly + let commitments: Vec = mle_poly .hypercube_basis_ref() .chunks(pedersen_len) .map(|sub_hypercube| pedersen_commit(params, sub_hypercube)) - .unzip(); - *randomness = rs; + .collect(); HyraxCommitment(commitments) } -pub(crate) fn hyrax_open( +pub(crate) fn hyrax_open( params: &PedersenParams, mle_poly: &impl MultilinearExtension, eval_point: &[C::Scalar], - commit_randomness: &Vec, - transcript: &mut T, -) -> (C::Scalar, PedersenIPAProof) +) -> (C::Scalar, Vec) where C: CurveAffine + FieldSerde, - T: Transcript, C::Scalar: ExtensionField + PrimeField, C::ScalarExt: ExtensionField + PrimeField, { @@ -88,33 +81,19 @@ where let mut buffer = vec![C::Scalar::default(); local_mle.coeffs.len()]; let final_eval = local_mle.evaluate_with_buffer(&eval_point[..pedersen_vars], &mut buffer); - let final_com_randomness = RefMultiLinearPoly::from_ref(commit_randomness) - .evaluate_with_buffer(&eval_point[pedersen_vars..], &mut buffer); - let row_eqs = EqPolynomial::build_eq_x_r(&eval_point[..pedersen_vars]); - - ( - final_eval, - pedersen_ipa_prove( - params, - &local_mle.coeffs, - &row_eqs, - final_com_randomness, - transcript, - ), - ) + + (final_eval, local_mle.coeffs) } -pub(crate) fn hyrax_verify( +pub(crate) fn hyrax_verify( params: &PedersenParams, comm: &HyraxCommitment, eval_point: &[C::Scalar], eval: C::Scalar, - proof: &PedersenIPAProof, - transcript: &mut T, + proof: &Vec, ) -> bool where C: CurveAffine + FieldSerde, - T: Transcript, C::Scalar: ExtensionField + PrimeField, C::ScalarExt: ExtensionField + PrimeField, { @@ -127,6 +106,12 @@ where let mut row_comm = C::Curve::default(); msm::multiexp_serial(&eq_combination, &comm.0, &mut row_comm); - let row_eqs = EqPolynomial::build_eq_x_r(&eval_point[..pedersen_vars]); - pedersen_ipa_verify(params, row_comm.into(), proof, &row_eqs, eval, transcript) + if pedersen_commit(params, proof) != row_comm.into() { + return false; + } + + let mut scratch = vec![C::Scalar::default(); proof.len()]; + RefMultiLinearPoly::from_ref(proof) + .evaluate_with_buffer(&eval_point[..pedersen_vars], &mut scratch) + == eval } diff --git a/poly_commit/src/hyrax/inner_prod_argument.rs b/poly_commit/src/hyrax/inner_prod_argument.rs deleted file mode 100644 index b4c7e4ab..00000000 --- a/poly_commit/src/hyrax/inner_prod_argument.rs +++ /dev/null @@ -1,213 +0,0 @@ -use arith::{ExtensionField, FieldSerde}; -use halo2curves::{ - ff::{Field, PrimeField}, - group::Curve, - CurveAffine, -}; -use itertools::izip; -use rand::thread_rng; -use transcript::Transcript; - -use crate::hyrax::{ - pedersen::{pedersen_commit, pedersen_commit_deterministic}, - PedersenParams, -}; - -#[derive(Clone, Debug, Default)] -pub struct PedersenIPAProof -where - C::Scalar: FieldSerde, -{ - pub com_r: C, - pub com_zero: C, - pub com_ip_ry: C, - pub sigma_3rd_masked_r_mu_x: Vec, - pub sigma_3rd_masked_r_mu_x_randomness: C::Scalar, - pub sigma_3rd_masked_eval_randomness: C::Scalar, -} - -impl FieldSerde for PedersenIPAProof -where - C::Scalar: FieldSerde, -{ - const SERIALIZED_SIZE: usize = unimplemented!(); - - fn serialize_into(&self, mut writer: W) -> arith::FieldSerdeResult<()> { - self.com_r.serialize_into(&mut writer)?; - self.com_zero.serialize_into(&mut writer)?; - self.com_ip_ry.serialize_into(&mut writer)?; - self.sigma_3rd_masked_r_mu_x.serialize_into(&mut writer)?; - self.sigma_3rd_masked_r_mu_x_randomness - .serialize_into(&mut writer)?; - self.sigma_3rd_masked_eval_randomness - .serialize_into(&mut writer) - } - - fn deserialize_from(mut reader: R) -> arith::FieldSerdeResult { - let com_r: C = C::deserialize_from(&mut reader)?; - let com_zero: C = C::deserialize_from(&mut reader)?; - let com_ip_ry: C = C::deserialize_from(&mut reader)?; - let sigma_3rd_masked_r_mu_x: Vec = Vec::deserialize_from(&mut reader)?; - let sigma_3rd_masked_r_mu_x_randomness = C::Scalar::deserialize_from(&mut reader)?; - let sigma_3rd_masked_eval_randomness = C::Scalar::deserialize_from(&mut reader)?; - Ok(Self { - com_r, - com_zero, - com_ip_ry, - sigma_3rd_masked_r_mu_x, - sigma_3rd_masked_r_mu_x_randomness, - sigma_3rd_masked_eval_randomness, - }) - } -} - -pub(crate) fn pedersen_ipa_prove( - params: &PedersenParams, - x_vec: &[C::Scalar], - y_vec: &[C::Scalar], - com_randomness: C::Scalar, - transcript: &mut T, -) -> PedersenIPAProof -where - C: CurveAffine + FieldSerde, - T: Transcript, - C::Scalar: ExtensionField + PrimeField, - C::ScalarExt: ExtensionField + PrimeField, -{ - let mut pedersen_commit_ro_absorb = |gs: &[C::Scalar]| -> (C, C::Scalar) { - let (com, r_mask) = pedersen_commit(params, gs); - - let mut com_bytes: Vec = Vec::new(); - com.serialize_into(&mut com_bytes).unwrap(); - transcript.append_u8_slice(&com_bytes); - (com, r_mask) - }; - - // NOTE(HS) we want some randomness in sigma protocol masking, but not from transcript. - let r_vec: Vec = { - let mut rng = thread_rng(); - (0..x_vec.len()) - .map(|_| C::Scalar::random(&mut rng)) - .collect() - }; - let (com_r, rs_mask) = pedersen_commit_ro_absorb(&r_vec); - - let (com_zero, zero_mask) = pedersen_commit_ro_absorb(&[]); - - let ip_ry: C::Scalar = izip!(&r_vec, y_vec).map(|(r, y)| *r * *y).sum(); - let (com_ip_ry, ip_mask) = pedersen_commit_ro_absorb(&[ip_ry]); - - let mu: C::Scalar = transcript.generate_challenge_field_element(); - - let sigma_3rd_masked_r_mu_x: Vec<_> = izip!(&r_vec, x_vec).map(|(r, x)| *r + mu * *x).collect(); - let sigma_3rd_masked_r_mu_x_randomness = com_randomness * mu + rs_mask; - let sigma_3rd_masked_eval_randomness = zero_mask * mu + ip_mask; - - PedersenIPAProof { - com_r, - com_zero, - com_ip_ry, - sigma_3rd_masked_r_mu_x, - sigma_3rd_masked_r_mu_x_randomness, - sigma_3rd_masked_eval_randomness, - } -} - -pub(crate) fn pedersen_ipa_verify( - params: &PedersenParams, - com_x: C, - proof: &PedersenIPAProof, - y_vec: &[C::Scalar], - eval: C::Scalar, - transcript: &mut T, -) -> bool -where - C: CurveAffine + FieldSerde, - T: Transcript, - C::Scalar: ExtensionField + PrimeField, - C::ScalarExt: ExtensionField + PrimeField, -{ - let mut com_bytes: Vec = Vec::new(); - - proof.com_r.serialize_into(&mut com_bytes).unwrap(); - transcript.append_u8_slice(&com_bytes); - com_bytes.clear(); - - proof.com_zero.serialize_into(&mut com_bytes).unwrap(); - transcript.append_u8_slice(&com_bytes); - com_bytes.clear(); - - proof.com_ip_ry.serialize_into(&mut com_bytes).unwrap(); - transcript.append_u8_slice(&com_bytes); - com_bytes.clear(); - - let mu = transcript.generate_challenge_field_element(); - - let com_sigma_3rd_r_mu_x = pedersen_commit_deterministic( - params, - &proof.sigma_3rd_masked_r_mu_x, - proof.sigma_3rd_masked_r_mu_x_randomness, - ); - if (com_x * mu + proof.com_r).to_affine() != com_sigma_3rd_r_mu_x { - return false; - } - - let ip_r_mu_x_y: C::Scalar = izip!(&proof.sigma_3rd_masked_r_mu_x, y_vec) - .map(|(s, y)| *s * *y) - .sum(); - - let com_masked_eval: C = pedersen_commit_deterministic( - params, - &[ip_r_mu_x_y], - proof.sigma_3rd_masked_eval_randomness, - ); - let com_mu_eval = pedersen_commit_deterministic(params, &[eval * mu], C::Scalar::ZERO); - - (proof.com_zero * mu + com_mu_eval + proof.com_ip_ry).to_affine() == com_masked_eval -} - -#[cfg(test)] -mod test { - use ark_std::test_rng; - use halo2curves::{ - bn256::{Fr, G1Affine}, - ff::Field, - }; - use itertools::izip; - use transcript::{BytesHashTranscript, Keccak256hasher, Transcript}; - - use crate::hyrax::{ - inner_prod_argument::{pedersen_ipa_prove, pedersen_ipa_verify}, - pedersen::{pedersen_commit, pedersen_setup}, - }; - - const IPA_VEC_LEN: usize = 1024; - - #[test] - fn test_pedersen_sigma_ipa_e2e() { - let mut rng = test_rng(); - let params = pedersen_setup::(IPA_VEC_LEN, &mut rng); - let mut p_transcript = BytesHashTranscript::::new(); - let mut v_transcript = p_transcript.clone(); - - let x_vec: Vec = (0..IPA_VEC_LEN).map(|_| Fr::random(&mut rng)).collect(); - let (x_com, x_com_randomness) = pedersen_commit(¶ms, &x_vec); - - let y_vec: Vec = (0..IPA_VEC_LEN).map(|_| Fr::random(&mut rng)).collect(); - - let expected_eval: Fr = izip!(&x_vec, &y_vec).map(|(x, y)| *x * *y).sum(); - - let ipa_proof = - pedersen_ipa_prove(¶ms, &x_vec, &y_vec, x_com_randomness, &mut p_transcript); - - let ipa_verification = pedersen_ipa_verify( - ¶ms, - x_com, - &ipa_proof, - &y_vec, - expected_eval, - &mut v_transcript, - ); - assert!(ipa_verification) - } -} diff --git a/poly_commit/src/hyrax/pcs_for_expander_gkr.rs b/poly_commit/src/hyrax/pcs_for_expander_gkr.rs index 6d338023..048e830d 100644 --- a/poly_commit/src/hyrax/pcs_for_expander_gkr.rs +++ b/poly_commit/src/hyrax/pcs_for_expander_gkr.rs @@ -7,9 +7,9 @@ use transcript::Transcript; use crate::{ hyrax::{ hyrax_impl::{hyrax_commit, hyrax_open, hyrax_setup, hyrax_verify}, - inner_prod_argument::{pedersen_ipa_prove, pedersen_ipa_verify}, + pedersen::pedersen_commit, }, - HyraxCommitment, HyraxPCS, PCSForExpanderGKR, PedersenIPAProof, PedersenParams, + HyraxCommitment, HyraxPCS, PCSForExpanderGKR, PedersenParams, }; impl PCSForExpanderGKR for HyraxPCS @@ -23,10 +23,10 @@ where const NAME: &'static str = "HyraxPCSForExpanderGKR"; type Params = usize; - type ScratchPad = Vec; + type ScratchPad = (); type Commitment = HyraxCommitment; - type Opening = PedersenIPAProof; + type Opening = Vec; type SRS = PedersenParams; fn gen_params(n_input_vars: usize) -> Self::Params { @@ -37,7 +37,6 @@ where #[allow(unused)] params: &Self::Params, #[allow(unused)] mpi_config: &mpi_config::MPIConfig, ) -> Self::ScratchPad { - Vec::new() } fn gen_srs_for_testing( @@ -53,9 +52,9 @@ where mpi_config: &mpi_config::MPIConfig, proving_key: &::PKey, poly: &impl polynomials::MultilinearExtension<::SimdCircuitField>, - scratch_pad: &mut Self::ScratchPad, + #[allow(unused)] scratch_pad: &mut Self::ScratchPad, ) -> Self::Commitment { - let local_commit = hyrax_commit(proving_key, poly, scratch_pad); + let local_commit = hyrax_commit(proving_key, poly); if mpi_config.is_single_process() { return local_commit; @@ -81,11 +80,11 @@ where proving_key: &::PKey, poly: &impl polynomials::MultilinearExtension<::SimdCircuitField>, x: &crate::ExpanderGKRChallenge, - transcript: &mut T, // add transcript here to allow interactive arguments - scratch_pad: &Self::ScratchPad, + #[allow(unused)] transcript: &mut T, // add transcript here to allow interactive arguments + #[allow(unused)] scratch_pad: &Self::ScratchPad, ) -> Self::Opening { if mpi_config.is_single_process() { - let (_, open) = hyrax_open(proving_key, poly, &x.local_xs(), scratch_pad, transcript); + let (_, open) = hyrax_open(proving_key, poly, &x.local_xs()); return open; } @@ -103,32 +102,12 @@ where let eq_mpi_vars = EqPolynomial::build_eq_x_r(&x.x_mpi); let combined_coeffs = mpi_config.coef_combine_vec(&local_mle.coeffs, &eq_mpi_vars); - let combined_com_randomness = mpi_config.coef_combine_vec(scratch_pad, &eq_mpi_vars); - - let mut buffer = vec![C::Scalar::default(); scratch_pad.len()]; - let row_eqs = EqPolynomial::build_eq_x_r(&local_vars[..pedersen_vars]); if mpi_config.is_root() { - let final_com_randomness = RefMultiLinearPoly::from_ref(&combined_com_randomness) - .evaluate_with_buffer(&local_vars[pedersen_vars..], &mut buffer); - return pedersen_ipa_prove( - proving_key, - &combined_coeffs, - &row_eqs, - final_com_randomness, - transcript, - ); + return combined_coeffs; } - let final_com_randomness = RefMultiLinearPoly::from_ref(scratch_pad) - .evaluate_with_buffer(&local_vars[pedersen_vars..], &mut buffer); - pedersen_ipa_prove( - proving_key, - &local_mle.coeffs, - &row_eqs, - final_com_randomness, - transcript, - ) + local_mle.coeffs } fn verify( @@ -138,18 +117,11 @@ where commitment: &Self::Commitment, x: &crate::ExpanderGKRChallenge, v: ::ChallengeField, - transcript: &mut T, // add transcript here to allow interactive arguments + #[allow(unused)] transcript: &mut T, // add transcript here to allow interactive arguments opening: &Self::Opening, ) -> bool { if mpi_config.is_single_process() || !mpi_config.is_root() { - return hyrax_verify( - verifying_key, - commitment, - &x.local_xs(), - v, - opening, - transcript, - ); + return hyrax_verify(verifying_key, commitment, &x.local_xs(), v, opening); } let local_num_vars = x.local_xs().len(); @@ -165,14 +137,13 @@ where let mut row_comm = C::Curve::default(); msm::multiexp_serial(&eq_combination, &commitment.0, &mut row_comm); - let row_eqs = EqPolynomial::build_eq_x_r(&local_vars[..pedersen_vars]); - pedersen_ipa_verify( - verifying_key, - row_comm.into(), - opening, - &row_eqs, - v, - transcript, - ) + if pedersen_commit(verifying_key, opening) != row_comm.into() { + return false; + } + + let mut scratch = vec![C::Scalar::default(); opening.len()]; + RefMultiLinearPoly::from_ref(opening) + .evaluate_with_buffer(&local_vars[..pedersen_vars], &mut scratch) + == v } } diff --git a/poly_commit/src/hyrax/pcs_trait_impl.rs b/poly_commit/src/hyrax/pcs_trait_impl.rs index 7553db79..2fdd8f91 100644 --- a/poly_commit/src/hyrax/pcs_trait_impl.rs +++ b/poly_commit/src/hyrax/pcs_trait_impl.rs @@ -7,7 +7,7 @@ use transcript::Transcript; use crate::{ hyrax::hyrax_impl::{hyrax_commit, hyrax_open, hyrax_setup, hyrax_verify}, - HyraxCommitment, PedersenIPAProof, PedersenParams, PolynomialCommitmentScheme, + HyraxCommitment, PedersenParams, PolynomialCommitmentScheme, }; pub struct HyraxPCS @@ -33,15 +33,13 @@ where type Params = usize; type Poly = MultiLinearPoly; type EvalPoint = Vec; - type ScratchPad = Vec; + type ScratchPad = (); type SRS = PedersenParams; type Commitment = HyraxCommitment; - type Opening = PedersenIPAProof; + type Opening = Vec; - fn init_scratch_pad(#[allow(unused)] params: &Self::Params) -> Self::ScratchPad { - Vec::new() - } + fn init_scratch_pad(#[allow(unused)] params: &Self::Params) -> Self::ScratchPad {} fn gen_srs_for_testing(params: &Self::Params, rng: impl rand::RngCore) -> Self::SRS { hyrax_setup(*params, rng) @@ -51,9 +49,9 @@ where #[allow(unused)] params: &Self::Params, proving_key: &::PKey, poly: &Self::Poly, - scratch_pad: &mut Self::ScratchPad, + #[allow(unused)] scratch_pad: &mut Self::ScratchPad, ) -> Self::Commitment { - hyrax_commit(proving_key, poly, scratch_pad) + hyrax_commit(proving_key, poly) } fn open( @@ -61,10 +59,10 @@ where proving_key: &::PKey, poly: &Self::Poly, x: &Self::EvalPoint, - scratch_pad: &Self::ScratchPad, - transcript: &mut T, + #[allow(unused)] scratch_pad: &Self::ScratchPad, + #[allow(unused)] transcript: &mut T, ) -> (C::Scalar, Self::Opening) { - hyrax_open(proving_key, poly, x, scratch_pad, transcript) + hyrax_open(proving_key, poly, x) } fn verify( @@ -74,8 +72,8 @@ where x: &Self::EvalPoint, v: C::Scalar, opening: &Self::Opening, - transcript: &mut T, + #[allow(unused)] transcript: &mut T, ) -> bool { - hyrax_verify(verifying_key, commitment, x, v, opening, transcript) + hyrax_verify(verifying_key, commitment, x, v, opening) } } diff --git a/poly_commit/src/hyrax/pedersen.rs b/poly_commit/src/hyrax/pedersen.rs index 3e5a3671..2f52b45d 100644 --- a/poly_commit/src/hyrax/pedersen.rs +++ b/poly_commit/src/hyrax/pedersen.rs @@ -4,28 +4,24 @@ use halo2curves::{ group::Curve, msm, CurveAffine, }; -use rand::thread_rng; use crate::StructuredReferenceString; #[derive(Clone, Debug, Default)] pub struct PedersenParams { pub bases: Vec, - pub h: C, } impl FieldSerde for PedersenParams { const SERIALIZED_SIZE: usize = unimplemented!(); fn serialize_into(&self, mut writer: W) -> arith::FieldSerdeResult<()> { - self.bases.serialize_into(&mut writer)?; - self.h.serialize_into(&mut writer) + self.bases.serialize_into(&mut writer) } fn deserialize_from(mut reader: R) -> arith::FieldSerdeResult { let bases: Vec = Vec::deserialize_from(&mut reader)?; - let h = C::deserialize_from(&mut reader)?; - Ok(Self { bases, h }) + Ok(Self { bases }) } } @@ -45,47 +41,25 @@ pub(crate) fn pedersen_setup( where C::Scalar: PrimeField, { - let bases: Vec = (0..=length) + let bases: Vec = (0..length) .map(|_| { let scalar = C::Scalar::random(&mut rng); (C::generator() * scalar).to_affine() }) .collect(); - PedersenParams { - h: bases[0], - bases: bases[1..].to_vec(), - } + PedersenParams { bases } } pub(crate) fn pedersen_commit( params: &PedersenParams, coeffs: &[C::Scalar], -) -> (C, C::Scalar) -where - C::Scalar: PrimeField, -{ - // NOTE(HS) we want some randomness in pedersen masking, but not from transcript. - let r: C::Scalar = { - let mut rng = thread_rng(); - C::Scalar::random(&mut rng) - }; - - let what = pedersen_commit_deterministic(params, coeffs, r); - (what, r) -} - -pub(crate) fn pedersen_commit_deterministic( - params: &PedersenParams, - coeffs: &[C::Scalar], - r: C::Scalar, ) -> C where C::Scalar: PrimeField, { let mut what = C::default().to_curve(); msm::multiexp_serial(coeffs, ¶ms.bases[..coeffs.len()], &mut what); - msm::multiexp_serial(&[r], &[params.h], &mut what); what.to_affine() }