From fb3257741c0389fa625b23bb5796aad601aad54e Mon Sep 17 00:00:00 2001 From: Martun Karapetyan Date: Thu, 12 Sep 2024 15:06:47 +0400 Subject: [PATCH] Added a few more structures. --- .../detail/polynomial/basic_fri.hpp | 54 ++-------- .../crypto3/zk/commitments/polynomial/lpc.hpp | 98 ++++++++++++++----- .../snark/systems/plonk/placeholder/proof.hpp | 38 ++++--- 3 files changed, 100 insertions(+), 90 deletions(-) diff --git a/libs/zk/include/nil/crypto3/zk/commitments/detail/polynomial/basic_fri.hpp b/libs/zk/include/nil/crypto3/zk/commitments/detail/polynomial/basic_fri.hpp index f163d8fc7..aa37286af 100644 --- a/libs/zk/include/nil/crypto3/zk/commitments/detail/polynomial/basic_fri.hpp +++ b/libs/zk/include/nil/crypto3/zk/commitments/detail/polynomial/basic_fri.hpp @@ -283,12 +283,12 @@ namespace nil { math::polynomial final_polynomial; }; - struct round_proofs_batch { - bool operator==(const round_proofs_batch &rhs) const { + struct round_proofs_batch_type { + bool operator==(const round_proofs_batch_type &rhs) const { return round_proofs == rhs.round_proofs; } - bool operator!=(const round_proofs_batch &rhs) const { + bool operator!=(const round_proofs_batch_type &rhs) const { return !(rhs == *this); } @@ -313,7 +313,7 @@ namespace nil { proof_type() = default; proof_type(const proof_type&) = default; - proof_type(const round_proofs_batch& round_proofs, + proof_type(const round_proofs_batch_type& round_proofs, const initial_proofs_batch_type& intial_proofs) : fri_roots(round_proofs.fri_roots) , final_polynomial(round_proofs.final_polynomial) { @@ -342,43 +342,6 @@ namespace nil { std::vector query_proofs; // 0...lambda - 1 typename GrindingType::output_type proof_of_work; }; - - // This represents and aggregated proofs of N provers with shared rounds proof. - struct aggregated_proof_type { - aggregated_proof() = default; - aggregated_proof(const aggregated_proof&) = default; - - // Size of vector 'intial_proofs_per_prover' is the number of provers. - aggregated_proof( - const round_proofs_batch& round_proofs, - const std::vector& intial_proofs_per_prover) - : round_proofs(round_proofs) - , intial_proofs_per_prover(intial_proofs_per_prover) { - } - - bool operator==(const aggregated_proof &rhs) const { - //if (FRI::use_grinding && proof_of_work != rhs.proof_of_work) { - // return false; - //} - return round_proofs == rhs.round_proofs && - intial_proofs_per_prover == rhs.intial_proofs_per_prover; - } - - bool operator!=(const aggregated_proof &rhs) const { - return !(rhs == *this); - } - - // We have a single round proof for checking that F(X) is a low degree polynomial. - round_proofs_batch round_proofs; - - // Contains fri_roots and final_polynomial that correspond to the polynomial F(x). - commitments_part_of_proof commitments_proof_part; - - // For each prover we have an initial proof for consistency checks. - std::vector intial_proofs_per_prover; - - typename GrindingType::output_type proof_of_work; - }; }; } // namespace detail } // namespace commitments @@ -1019,14 +982,14 @@ namespace nil { template - static typename FRI::round_proofs_batch query_phase_round_proofs( + static typename FRI::round_proofs_batch_type query_phase_round_proofs( const typename FRI::params_type &fri_params, const std::vector &fri_trees, const std::vector &fs, const math::polynomial &final_polynomial, const std::vector& challenges) { - typename FRI::round_proofs_batch proof; + typename FRI::round_proofs_batch_type proof; for (std::size_t query_id = 0; query_id < fri_params.lambda; query_id++) { std::size_t domain_size = fri_params.D[0]->size(); @@ -1101,7 +1064,7 @@ namespace nil { query_phase_initial_proofs( precommitments, fri_params, g, challenges); - typename FRI::round_proofs_batch round_proofs = + typename FRI::round_proofs_batch_type round_proofs = query_phase_round_proofs( fri_params, fri_trees, fs, final_polynomial, challenges); @@ -1128,7 +1091,7 @@ namespace nil { { PROFILE_SCOPE("Basic FRI query phase"); std::vector challenges = - transcript.template challenge(fri_params.lambda); + transcript.template challenges(fri_params.lambda); return query_phase_with_challenges( precommitments, fri_params, challenges, g, fri_trees, fs, final_polynomial); @@ -1162,7 +1125,6 @@ namespace nil { // Commit phase std::vector fri_trees; - std::vector fri_roots; std::vector fs; math::polynomial final_polynomial; diff --git a/libs/zk/include/nil/crypto3/zk/commitments/polynomial/lpc.hpp b/libs/zk/include/nil/crypto3/zk/commitments/polynomial/lpc.hpp index caa2e72e0..4ea8112eb 100644 --- a/libs/zk/include/nil/crypto3/zk/commitments/polynomial/lpc.hpp +++ b/libs/zk/include/nil/crypto3/zk/commitments/polynomial/lpc.hpp @@ -186,8 +186,8 @@ namespace nil { transcript(it.second.root()); } - std::vector challenges = - transcript.template challenge(this->_fri_params.lambda); + std::vector challenges = + transcript.template challenges(this->_fri_params.lambda); typename fri_type::initial_proofs_batch_type initial_proofs = nil::crypto3::zk::algorithms::query_phase_initial_proofs( @@ -195,25 +195,54 @@ namespace nil { return {this->_z, initial_proofs}; } + /** This function must be called once for the aggregated FRI, to proof that polynomial + 'sum_poly' has low degree. + * \param[in] sum_poly - polynomial F(x) = Sum(combined_Q). + * \param[in] transcript - This transcript is initialized on the main prover, which has digested + challenges from all the other provers. + */ round_proof_type proof_eval_round_proof(const polynomial_type& sum_poly, transcript_type &transcript) { + // TODO(martun): this function belongs to FRI, not here, will move later. + // Precommit to sum_poly. + precommitment_type sum_poly_precommitment = nil::crypto3::zk::algorithms::precommit( + sum_poly, + _fri_params.D[0], + _fri_params.step_list.front() + ); - this->eval_polys(); + std::vector fri_trees; + std::vector fs; + math::polynomial final_polynomial; - BOOST_ASSERT(this->_points.size() == this->_polys.size()); - BOOST_ASSERT(this->_points.size() == this->_z.get_batches_num()); + // Contains fri_roots and final_polynomial. + typename fri_type::commitments_part_of_proof commitments_proof; - // For each batch we have a merkle tree. - for (auto const& it: this->_trees) { - transcript(it.second.root()); - } + // Commit to sum_poly. + std::tie(fs, fri_trees, commitments_proof) = + nil::crypto3::zk::algorithms::commit_phase( + sum_poly, + sum_poly_precommitment, + _fri_params, transcript); - // Prepare z-s and combined_Q; - auto theta = transcript.template challenge(); - polynomial_type combined_Q = prepare_combined_Q(theta); + std::vector challenges = + transcript.template challenges(this->_fri_params.lambda); - auto fri_proof = commit_and_fri_proof(combined_Q, transcript); - return proof_type({this->_z, fri_proof}); + round_proof_type result; + + result.fri_round_proof = nil::crypto3::zk::algorithms::query_phase_round_proofs< + fri_type, polynomial_type>( + _fri_params, + fri_trees, + fs, + sum_poly, + challenges); + + result.fri_commitments_proof_part.fri_roots = std::move(commitments_proof.fri_roots); + result.fri_commitments_proof_part.final_polynomial = std::move(final_polynomial); + + return result; } + typename fri_type::proof_type commit_and_fri_proof( const polynomial_type& combined_Q, transcript_type &transcript) { @@ -224,8 +253,7 @@ namespace nil { ); typename fri_type::proof_type fri_proof = nil::crypto3::zk::algorithms::proof_eval< - fri_type, polynomial_type - >( + fri_type, polynomial_type>( this->_polys, combined_Q, this->_trees, @@ -496,9 +524,10 @@ namespace nil { typename basic_fri::proof_type fri_proof; }; + // Represents an initial proof, which must be created for each of the N provers. struct initial_proof_type { bool operator==(const initial_proof_type &rhs) const { - return fri_proof == rhs.fri_proof && z == rhs.z; + return initial_fri_proof == rhs.initial_fri_proof && z == rhs.z; } bool operator!=(const initial_proof_type &rhs) const { @@ -509,22 +538,45 @@ namespace nil { typename basic_fri::initial_proofs_batch_type initial_fri_proof; }; + // Represents a round proof, which must be created just once on the main prover. + struct round_proof_type { + bool operator==(const round_proof_type &rhs) const { + return fri_round_proof == rhs.fri_round_proof && + fri_commitments_proof_part == rhs.fri_commitments_proof_part; + } + + bool operator!=(const round_proof_type &rhs) const { + return !(rhs == *this); + } + + // We have a single round proof for checking that F(X) is a low degree polynomial. + typename basic_fri::round_proofs_batch_type fri_round_proof; + + // Contains fri_roots and final_polynomial that correspond to the polynomial F(x). + typename basic_fri::commitments_part_of_proof fri_commitments_proof_part; + }; + // A single instance of this class will store all the LPC proofs for a group of provers // when aggregated FRI is used. struct aggregated_proof_type { - bool operator==(const proof_type &rhs) const { - return fri_proof == rhs.fri_proof && z == rhs.z; + bool operator==(const aggregated_proof_type &rhs) const { + return round_proofs == rhs.round_proofs && + intial_proofs_per_prover == rhs.intial_proofs_per_prover && + proof_of_work == rhs.proof_of_work; } bool operator!=(const proof_type &rhs) const { return !(rhs == *this); } - // Each prover will have its own evaluation storage. - std::vector z; - typename basic_fri::aggregated_proof_type aggregated_fri_proof; - }; + // We have a single round proof for checking that F(X) is a low degree polynomial. + round_proof_type round_proofs; + // For each prover we have an initial proof. + std::vector intial_proofs_per_prover; + + typename LPCParams::grinding_type::output_type proof_of_work; + }; }; template diff --git a/libs/zk/include/nil/crypto3/zk/snark/systems/plonk/placeholder/proof.hpp b/libs/zk/include/nil/crypto3/zk/snark/systems/plonk/placeholder/proof.hpp index 22e4c12b5..c5cd9b9d3 100644 --- a/libs/zk/include/nil/crypto3/zk/snark/systems/plonk/placeholder/proof.hpp +++ b/libs/zk/include/nil/crypto3/zk/snark/systems/plonk/placeholder/proof.hpp @@ -55,17 +55,16 @@ namespace nil { using commitment_scheme_type = typename ParamsType::commitment_scheme_type; using commitment_type = typename commitment_scheme_type::commitment_type; - placeholder_partial_proof() { - } - - std::map commitments; + placeholder_partial_proof() = default; - bool operator==(const placeholder_proof &rhs) const { + bool operator==(const placeholder_partial_proof &rhs) const { return commitments == rhs.commitments; } - bool operator!=(const placeholder_proof &rhs) const { + bool operator!=(const placeholder_partial_proof &rhs) const { return !(rhs == *this); } + + std::map commitments; }; /** @@ -76,7 +75,7 @@ namespace nil { * about the structure for marshalling purposes. */ template - struct placeholder_proof : public placeholder_partial_proof { + struct placeholder_proof : public placeholder_partial_proof { static constexpr std::size_t FIXED_VALUES_BATCH = 0; static constexpr std::size_t VARIABLE_VALUES_BATCH = 1; static constexpr std::size_t PERMUTATION_BATCH = 2; @@ -104,18 +103,17 @@ namespace nil { } }; - placeholder_proof() { - } - - evaluation_proof eval_proof; + placeholder_proof() = default; bool operator==(const placeholder_proof &rhs) const { - return commitments == rhs.commitments && + return placeholder_partial_proof::operator==(rhs) && eval_proof == rhs.eval_proof; } bool operator!=(const placeholder_proof &rhs) const { return !(rhs == *this); } + + evaluation_proof eval_proof; }; /** @@ -131,22 +129,20 @@ namespace nil { using commitment_scheme_type = typename ParamsType::commitment_scheme_type; using commitment_type = typename commitment_scheme_type::commitment_type; - placeholder_aggregated_proof() { - } - - // This vector contains N partial proofs, one per prover. - std::vector partial_proofs; - typename commitment_type::aggregated_proof_type aggregated_proof; + placeholder_aggregated_proof() = default; bool operator==(const placeholder_aggregated_proof &rhs) const { - return commitments == rhs.commitments && - eval_proof == rhs.eval_proof; + return partial_proofs == rhs.partial_proofs && + aggregated_proof == rhs.aggregated_proof; } bool operator!=(const placeholder_aggregated_proof &rhs) const { return !(rhs == *this); } - }; + // This vector contains N partial proofs, one per prover. + std::vector> partial_proofs; + typename commitment_type::aggregated_proof_type aggregated_proof; + }; } // namespace snark } // namespace zk } // namespace crypto3