From 1de666d9380c98f1baf922428a0e4a19f176ab3d Mon Sep 17 00:00:00 2001 From: Martun Karapetyan Date: Thu, 12 Sep 2024 15:06:47 +0400 Subject: [PATCH] Added a few more structures. --- .../detail/polynomial/basic_fri.hpp | 52 ++--------- .../crypto3/zk/commitments/polynomial/lpc.hpp | 89 ++++++++++++++----- 2 files changed, 76 insertions(+), 65 deletions(-) diff --git a/libs/zk/include/nil/crypto3/zk/commitments/detail/polynomial/basic_fri.hpp b/libs/zk/include/nil/crypto3/zk/commitments/detail/polynomial/basic_fri.hpp index c6e5b6bc5..fcd665797 100644 --- a/libs/zk/include/nil/crypto3/zk/commitments/detail/polynomial/basic_fri.hpp +++ b/libs/zk/include/nil/crypto3/zk/commitments/detail/polynomial/basic_fri.hpp @@ -283,12 +283,12 @@ namespace nil { math::polynomial final_polynomial; }; - struct round_proofs_batch { - bool operator==(const round_proofs_batch &rhs) const { + struct round_proofs_batch_type { + bool operator==(const round_proofs_batch_type &rhs) const { return round_proofs == rhs.round_proofs; } - bool operator!=(const round_proofs_batch &rhs) const { + bool operator!=(const round_proofs_batch_type &rhs) const { return !(rhs == *this); } @@ -313,7 +313,7 @@ namespace nil { proof_type() = default; proof_type(const proof_type&) = default; - proof_type(const round_proofs_batch& round_proofs, + proof_type(const round_proofs_batch_type& round_proofs, const initial_proofs_batch_type& intial_proofs) : fri_roots(round_proofs.fri_roots) , final_polynomial(round_proofs.final_polynomial) { @@ -342,43 +342,6 @@ namespace nil { std::vector query_proofs; // 0...lambda - 1 typename GrindingType::output_type proof_of_work; }; - - // This represents and aggregated proofs of N provers with shared rounds proof. - struct aggregated_proof_type { - aggregated_proof() = default; - aggregated_proof(const aggregated_proof&) = default; - - // Size of vector 'intial_proofs_per_prover' is the number of provers. - aggregated_proof( - const round_proofs_batch& round_proofs, - const std::vector& intial_proofs_per_prover) - : round_proofs(round_proofs) - , intial_proofs_per_prover(intial_proofs_per_prover) { - } - - bool operator==(const aggregated_proof &rhs) const { - //if (FRI::use_grinding && proof_of_work != rhs.proof_of_work) { - // return false; - //} - return round_proofs == rhs.round_proofs && - intial_proofs_per_prover == rhs.intial_proofs_per_prover; - } - - bool operator!=(const aggregated_proof &rhs) const { - return !(rhs == *this); - } - - // We have a single round proof for checking that F(X) is a low degree polynomial. - round_proofs_batch round_proofs; - - // Contains fri_roots and final_polynomial that correspond to the polynomial F(x). - commitments_part_of_proof commitments_proof_part; - - // For each prover we have an initial proof for consistency checks. - std::vector intial_proofs_per_prover; - - typename GrindingType::output_type proof_of_work; - }; }; } // namespace detail } // namespace commitments @@ -1016,14 +979,14 @@ namespace nil { } template - static typename FRI::round_proofs_batch query_phase_round_proofs( + static typename FRI::round_proofs_batch_type query_phase_round_proofs( const typename FRI::params_type &fri_params, const std::vector &fri_trees, const std::vector &fs, const math::polynomial &final_polynomial, const std::vector& challenges) { - typename FRI::round_proofs_batch proof; + typename FRI::round_proofs_batch_type proof; for (std::size_t query_id = 0; query_id < fri_params.lambda; query_id++) { std::size_t domain_size = fri_params.D[0]->size(); @@ -1098,7 +1061,7 @@ namespace nil { query_phase_initial_proofs( precommitments, fri_params, g, challenges); - typename FRI::round_proofs_batch round_proofs = + typename FRI::round_proofs_batch_type round_proofs = query_phase_round_proofs( fri_params, fri_trees, fs, final_polynomial, challenges); @@ -1157,7 +1120,6 @@ namespace nil { // Commit phase std::vector fri_trees; - std::vector fri_roots; std::vector fs; math::polynomial final_polynomial; diff --git a/libs/zk/include/nil/crypto3/zk/commitments/polynomial/lpc.hpp b/libs/zk/include/nil/crypto3/zk/commitments/polynomial/lpc.hpp index caa2e72e0..120de249f 100644 --- a/libs/zk/include/nil/crypto3/zk/commitments/polynomial/lpc.hpp +++ b/libs/zk/include/nil/crypto3/zk/commitments/polynomial/lpc.hpp @@ -187,7 +187,7 @@ namespace nil { } std::vector challenges = - transcript.template challenge(this->_fri_params.lambda); + transcript.template challenges(this->_fri_params.lambda); typename fri_type::initial_proofs_batch_type initial_proofs = nil::crypto3::zk::algorithms::query_phase_initial_proofs( @@ -195,25 +195,51 @@ namespace nil { return {this->_z, initial_proofs}; } + /** This function must be called once for the aggregated FRI, to proof that polynomial + 'sum_poly' has low degree. + * \param[in] sum_poly - polynomial F(x) = Sum(combined_Q). + * \param[in] transcript - This transcript is initialized on the main prover, which has digested + challenges from all the other provers. + */ round_proof_type proof_eval_round_proof(const polynomial_type& sum_poly, transcript_type &transcript) { + // TODO(martun): this function belongs to FRI, not here, will move later. + // Precommit to sum_poly. + precommitment_type sum_poly_precommitment = nil::crypto3::zk::algorithms::precommit( + sum_poly, + _fri_params.D[0], + _fri_params.step_list.front() + ); - this->eval_polys(); + std::vector fri_trees; + std::vector fs; + math::polynomial final_polynomial; - BOOST_ASSERT(this->_points.size() == this->_polys.size()); - BOOST_ASSERT(this->_points.size() == this->_z.get_batches_num()); + // Commit to sum_poly. + std::tie(fs, fri_trees, commitments_proof) = + nil::crypto3::zk::algorithms::commit_phase( + sum_poly, + sum_poly_precommitment, + _fri_params, transcript); - // For each batch we have a merkle tree. - for (auto const& it: this->_trees) { - transcript(it.second.root()); - } + std::vector challenges = + transcript.template challenges(this->_fri_params.lambda); - // Prepare z-s and combined_Q; - auto theta = transcript.template challenge(); - polynomial_type combined_Q = prepare_combined_Q(theta); + round_proof_type result; - auto fri_proof = commit_and_fri_proof(combined_Q, transcript); - return proof_type({this->_z, fri_proof}); + result.fri_round_proof = nil::crypto3::zk::algorithms::query_phase_round_proofs< + fri_type, polynomial_type>( + _fri_params, + fri_trees, + fs, + sum_poly, + challenges); + + result.fri_commitments_proof_part.fri_roots = std::move(commitments_proof.fri_roots); + result.fri_commitments_proof_part.final_polynomial = std::move(final_polynomial); + + return result; } + typename fri_type::proof_type commit_and_fri_proof( const polynomial_type& combined_Q, transcript_type &transcript) { @@ -224,8 +250,7 @@ namespace nil { ); typename fri_type::proof_type fri_proof = nil::crypto3::zk::algorithms::proof_eval< - fri_type, polynomial_type - >( + fri_type, polynomial_type>( this->_polys, combined_Q, this->_trees, @@ -496,9 +521,10 @@ namespace nil { typename basic_fri::proof_type fri_proof; }; + // Represents an initial proof, which must be created for each of the N provers. struct initial_proof_type { bool operator==(const initial_proof_type &rhs) const { - return fri_proof == rhs.fri_proof && z == rhs.z; + return initial_fri_proof == rhs.initial_fri_proof && z == rhs.z; } bool operator!=(const initial_proof_type &rhs) const { @@ -509,6 +535,24 @@ namespace nil { typename basic_fri::initial_proofs_batch_type initial_fri_proof; }; + // Represents a round proof, which must be created just once on the main prover. + struct round_proof_type { + bool operator==(const round_proof_type &rhs) const { + return fri_round_proof == rhs.fri_round_proof && + fri_commitments_proof_part == rhs.fri_commitments_proof_part; + } + + bool operator!=(const round_proof_type &rhs) const { + return !(rhs == *this); + } + + // We have a single round proof for checking that F(X) is a low degree polynomial. + typename basic_fri::round_proofs_batch_type fri_round_proof; + + // Contains fri_roots and final_polynomial that correspond to the polynomial F(x). + typename basic_fri::commitments_part_of_proof fri_commitments_proof_part; + }; + // A single instance of this class will store all the LPC proofs for a group of provers // when aggregated FRI is used. struct aggregated_proof_type { @@ -520,11 +564,16 @@ namespace nil { return !(rhs == *this); } - // Each prover will have its own evaluation storage. - std::vector z; - typename basic_fri::aggregated_proof_type aggregated_fri_proof; - }; + // We have a single round proof for checking that F(X) is a low degree polynomial. + round_proof_type round_proofs; + + // For each prover we have an initial proof. + std::vector intial_proofs_per_prover; + // TODO: add here some proof for consistency of F(x). + + typename GrindingType::output_type proof_of_work; + }; }; template