feat: add dory commitment scheme #586
Conversation
g1684774
force-pushed
the
dory
branch
3 times, most recently
from
8f76867 to
f887d89
Compare
|
Hi @g1684774 ! Thanks for taking this on! I haven't had a chance to thoroughly review your PR yet, but let me try to answer some of your questions first:
Our Transcript struct should be used for the "reduce" steps in the Dory code. Both are used to implement the Fiat-Shamir transform –– we have some running "digest" or "state", and whenever the prover makes a commitment of some sort, the commitment has to be "absorbed" into the digest (aka appended to the transcript) by making (in broad strokes) the following update:
See inline comment
What you have is fine for now!
Yes, panic is ok
See above answer about the Transcript; note that we have a
See above answer about the Transcript Btw, if you haven't already you might want to check out Section 15.4 of Justin's book, which covers Dory. There may be some discrepancies between the description there and the Go implementation, but it should provide some high-level context for why things work the way they do. |
| let v1 = params | ||
| .g1v | ||
| .iter() | ||
| .zip(poly.iter()) | ||
| .map(|(a, b)| *a * *b) | ||
| .collect::<Vec<G1<P>>>(); | ||
|
|
||
| let v2 = params | ||
| .g2v | ||
| .iter() | ||
| .zip(poly.iter()) | ||
| .map(|(a, b)| *a * *b) | ||
| .collect::<Vec<G2<P>>>(); |
There was a problem hiding this comment.
These are multi-scalar multiplications (MSMs), which we have our own optimized implementation for: https://github.com/a16z/jolt/blob/main/jolt-core/src/msm/mod.rs#L176-L220
Note that it supports all types of MultilinearPolynomials
There was a problem hiding this comment.
I took a deeper look and it seems that this is not MSM since I'm not taking the .sum(). This is a conversion of [ScalarField] -> [G1] to be used in the next steps. Does that make sense or am I missing anything?
Signed-off-by: Ray <g1684774@gmail.com>
|
Thanks for the response. I have a few more questions:
|
Where you see
The public params are the "preprocessing" required for Dory. They consist mainly of two vectors of group elements (from G1 and G2 respectively). This stuff should be output by |
| fn append_gt<P: Pairing, ProofTranscript: Transcript>(transcript: &mut ProofTranscript, gt: Gt<P>) { | ||
| let mut buf = vec![]; | ||
| gt.serialize_uncompressed(&mut buf).unwrap(); | ||
| // Serialize uncompressed gives the scalar in LE byte order which is not | ||
| // a natural representation in the EVM for scalar math so we reverse | ||
| // to get an EVM compatible version. | ||
| buf = buf.into_iter().rev().collect(); | ||
| transcript.append_bytes(&buf); | ||
| } |
There was a problem hiding this comment.
There's no append_gt in transcript, should I add it there?
I have a rewrite from DualDory (go) and I'm currently porting it to jolt.
Concerns
It looks like DualDory didn't implement commitments for polynomials opening. Also Justin's book doesn't have a section on how to implement for Multilinear polynomials.
Questions
I'd like some help to understand:
How should I populate the Transcript? Is it needed for Dory?Used for Fiat-ShamirDoes Dory support a better type of batching other than just looping over;Looping is okMultiple operations might fail, how to handle them? Is it ok to panic?YesInverting a Scalar ZeroGetting the inner product of G1xG2Go implementation used Sha2 for digest, is it ok to use Sha3?Use TranscriptHow does the reduce part fits jolt?. Reduce is used for commitments with more than 1 elementI'm new to jolt and I don't understand if the API is already defined or it needs to change to fit Dory.
I'm also currently learning about ZK and Snarks cryptography, so please let me know if there's something wrong.