Add Brakedown multilinear PCS (#131)

* added hyrax PCS

* Add univariate and multilinear Ligero PCS

Co-authored-by: Hossein Moghaddas <autquis@gmail.com>
Co-authored-by: Antonio Mejías Gil <anmegi.95@gmail.com>

* Add Brakedown

* adapt the scheme to arkworks-rs/algebra#691

* move tests shared across univariate and ML ligero to utils

* adapt the scheme to arkworks-rs/algebra#691

* move tests shared across schemes to utils

* remove unused no-std import

* adapt the scheme to arkworks-rs/algebra#691

* remove unused code in hyrax

* Improve the choice of dimensions for polynomial matrix

* Update comments

* parallelised row encoding and col-to-leaf hashing; significant performance gains

* parallelised row encoding and col-to-leaf hashing; significant performance gains

* expanded on Future Optimisations section

* fixed GH action failures: formatted and added feature flag

* fixed GH action failures: formatted and added feature flag

* remove Prepared data types from `PolynomialCommitment` trait

* remove Prepared data types from `PolynomialCommitment` trait

* Remove Prepared data types from `PolynomialCommitment` trait impl

* added necessary dependencies overwritten by previous merge commit

* fixed hashbrown version

* Add back the cfg dependency for no-std build

* fixed hashbrown version

* pulled

* created separate benchmark files

* fixed duplicate dependency to match other branches

* patched bn254 dep

* restructured benchmark macros to accept ML schemes; benches working

* moved hashing structures to bench-templates crate, started ligero bench coding

* completed ligero benchmarks

* added ligero benchmark file

* adapted to new crate structure and created benchmark for ML brakedown

* Hyrax fix bench (#42)

* fix bench call

* set num vars from 12-20

* Brakedown fix bench (#41)

* fix bench call

* set num vars from 12-20

* Ligero fix benches (#40)

* fix bench call

* set num vars from 12-20

* Hyrax parallel `commit` (#39)

* Enable parallel commitment in hyrax

amend

* make `rand` optional

* remove dead code

* Make Hyrax hiding again (#43)

* removed evaluation randomness from proof and ignored claimed value in check to make scheme hiding

* fmt

* removed unnecessary usage of argument  in check, added _

* remove cfg(benches) attributes as that feature is no longer used

* Fix tests: sponge config for univariate ligero

* Fix the comment

Co-authored-by: Marcin <marcin.gorny.94@protonmail.com>

* Delete `IOPTranscript`, update with master (#44) (aka Brakedown++)

* Add the trait bounds

* Add `CommitmentState`

* Update benches for the new type

* Fix the name of local variable

* Merge `PCCommitmentState` with `PCRandomness`

* Update `README.md`

* Fix a bug

* Complete the merge

* Simplify `hash_column`

* Delete comments

* Add `CommitmentState`

* Make `fmt` happy

* Refactor, remove `hash_columns`

* Rename all params

* remove cfg(benches) attributes as that feature is no longer used

* Brakedown+++ (#46)

* conversion to `into_iter` is a no-op

* remove explicit casts to vecs

* rename to use singular of `labeled_commitment`

* simplify the iterators even further by zipping two iters

* Apply suggestions from code review

* Maybe `empty` not return `Self`

* Make `empty` return `Self`

* Rename `rand` to `state`

* Add the type `Randomness`

* Rename nonnative to emulated, as in `r1cs-std` (#137)

* Rename nonnative to emulated, as in `r1cs-std`

* Run `fmt`

* Temporarily change `Cargo.toml`

* Revert `Cargo.toml`

* Refactor `FoldedPolynomialStream` partially

* Substitute `ChallengeGenerator` by the generic sponge (#139)

* Rename nonnative to emulated, as in `r1cs-std`

* Run `fmt`

* Temporarily change `Cargo.toml`

* Substitute `ChallengeGenerator` with the generic sponge

* Run `fmt`

* Remove the extra file

* Update modules

* Delete the unnecessary loop

* Revert `Cargo.toml`

* Refactor `FoldedPolynomialStream` partially

* Update README

* Make the diff more readable

* Bring the whitespace back

* Make diff more readable, 2

* Fix according to breaking changes in `ark-ec` (#141)

* Fix for KZG10

* Fix the breaking changes in `ark-ec`

* Remove the extra loop

* Fix the loop range

* re-use the preprocessing table

* also re-use the preprocessing table for multilinear_pc

---------

Co-authored-by: mmagician <marcin.gorny.94@protonmail.com>

* Auxiliary opening data (#134)

* Add the trait bounds

* Add `CommitmentState`

* Update benches for the new type

* Fix the name of local variable

* Merge `PCCommitmentState` with `PCRandomness`

* Update `README.md`

* Fix a bug

* Put `Randomness` in `CommitmentState`

* Add a comment

* Remove the extra loop

* Update the comment for `CommitmentState`

Co-authored-by: Marcin <marcin.gorny.94@protonmail.com>

* cargo fmt

---------

Co-authored-by: Marcin <marcin.gorny.94@protonmail.com>

* `batch_mul_with_preprocessing` no longer takes `self` as argument (#142)

* batch_mul_with_preprocessing no longer takes `self` as argument

* Apply suggestions from code review

Co-authored-by: Pratyush Mishra <pratyush795@gmail.com>

* fix variable name

---------

Co-authored-by: Pratyush Mishra <pratyush795@gmail.com>

* Remove `ChallengeGenerator` for Brakedown (#53)

* Squash and merge `delete-chalgen` onto here

* Fix Brakedown for `ChallengeGenerator` and `AsRef` for Merkle tree

* Remove `IOPTranscript` (#52)

* Replace the `IOPTranscript` with `CryptographicSponge`

* Delete extra comments

* Delete TODOs and do not absorb what you just squeezed

* Remove the extra loop

* Revert the incorrect changes in `bench-tamplates`

---------

Co-authored-by: mmagician <marcin.gorny.94@protonmail.com>
Co-authored-by: Pratyush Mishra <pratyush795@gmail.com>

* Update a comment

* Delete `IOPTranscript`, update with master (#50) (aka Hyrax++)

* Add the trait bounds

* Add `CommitmentState`

* Update benches for the new type

* Fix the name of local variable

* Merge `PCCommitmentState` with `PCRandomness`

* Update `README.md`

* Fix a bug

* Change `Randomness` to `CommitmentState`

* Maybe `empty` not return `Self`

* Make `empty` return `Self`

* Rename `rand` to `state`

* Partially integrate the new design into Hyrax

* Update Hyrax with the shared state

* Rename nonnative to emulated, as in `r1cs-std` (#137)

* Rename nonnative to emulated, as in `r1cs-std`

* Run `fmt`

* Temporarily change `Cargo.toml`

* Revert `Cargo.toml`

* Refactor `FoldedPolynomialStream` partially

* Substitute `ChallengeGenerator` by the generic sponge (#139)

* Rename nonnative to emulated, as in `r1cs-std`

* Run `fmt`

* Temporarily change `Cargo.toml`

* Substitute `ChallengeGenerator` with the generic sponge

* Run `fmt`

* Remove the extra file

* Update modules

* Delete the unnecessary loop

* Revert `Cargo.toml`

* Refactor `FoldedPolynomialStream` partially

* Update README

* Make the diff more readable

* Bring the whitespace back

* Make diff more readable, 2

* Fix according to breaking changes in `ark-ec` (#141)

* Fix for KZG10

* Fix the breaking changes in `ark-ec`

* Remove the extra loop

* Fix the loop range

* re-use the preprocessing table

* also re-use the preprocessing table for multilinear_pc

---------

Co-authored-by: mmagician <marcin.gorny.94@protonmail.com>

* Auxiliary opening data (#134)

* Add the trait bounds

* Add `CommitmentState`

* Update benches for the new type

* Fix the name of local variable

* Merge `PCCommitmentState` with `PCRandomness`

* Update `README.md`

* Fix a bug

* Put `Randomness` in `CommitmentState`

* Add a comment

* Remove the extra loop

* Update the comment for `CommitmentState`

Co-authored-by: Marcin <marcin.gorny.94@protonmail.com>

* cargo fmt

---------

Co-authored-by: Marcin <marcin.gorny.94@protonmail.com>

* `batch_mul_with_preprocessing` no longer takes `self` as argument (#142)

* batch_mul_with_preprocessing no longer takes `self` as argument

* Apply suggestions from code review

Co-authored-by: Pratyush Mishra <pratyush795@gmail.com>

* fix variable name

---------

Co-authored-by: Pratyush Mishra <pratyush795@gmail.com>

* Remove ChallengeGenerator for Ligero (#56)

* Squash and merge `delete-chalgen` onto here

* Fix for `ChallengeGenerator`

* Delete `IOPTranscript` for Hyrax (#55)

* Use the sponge generic and rearrange `use`s

* Use sponge instead of `IOPTransript`

* Fix benches

* Remove the extra loop

---------

Co-authored-by: mmagician <marcin.gorny.94@protonmail.com>
Co-authored-by: Pratyush Mishra <pratyush795@gmail.com>

* Delete `merlin` from dependencies

* Delete `IOPTranscript`, update with master (#51) (aka Ligero++)

* Add the trait bounds

* Add `CommitmentState`

* Update benches for the new type

* Fix the name of local variable

* Merge `PCCommitmentState` with `PCRandomness`

* Update `README.md`

* Fix a bug

* Simplify `hash_column`

* Delete comments

* Add `CommitmentState`

* Make `fmt` happy

* Refactor, remove `hash_columns`

* Rename all params

* Maybe `empty` not return `Self`

* Make `empty` return `Self`

* Rename `rand` to `state`

* Add type `Randomness`

* Ligero+++ (#46)

* conversion to `into_iter` is a no-op

* remove explicit casts to vecs

* rename to use singular of `labeled_commitment`

* simplify the iterators even further by zipping two iters

* Apply suggestions from code review

* Fix tests: sponge config for univariate ligero

* Rename nonnative to emulated, as in `r1cs-std` (#137)

* Rename nonnative to emulated, as in `r1cs-std`

* Run `fmt`

* Temporarily change `Cargo.toml`

* Revert `Cargo.toml`

* Refactor `FoldedPolynomialStream` partially

* Substitute `ChallengeGenerator` by the generic sponge (#139)

* Rename nonnative to emulated, as in `r1cs-std`

* Run `fmt`

* Temporarily change `Cargo.toml`

* Substitute `ChallengeGenerator` with the generic sponge

* Run `fmt`

* Remove the extra file

* Update modules

* Delete the unnecessary loop

* Revert `Cargo.toml`

* Refactor `FoldedPolynomialStream` partially

* Update README

* Make the diff more readable

* Bring the whitespace back

* Make diff more readable, 2

* Fix according to breaking changes in `ark-ec` (#141)

* Fix for KZG10

* Fix the breaking changes in `ark-ec`

* Remove the extra loop

* Fix the loop range

* re-use the preprocessing table

* also re-use the preprocessing table for multilinear_pc

---------

Co-authored-by: mmagician <marcin.gorny.94@protonmail.com>

* Auxiliary opening data (#134)

* Add the trait bounds

* Add `CommitmentState`

* Update benches for the new type

* Fix the name of local variable

* Merge `PCCommitmentState` with `PCRandomness`

* Update `README.md`

* Fix a bug

* Put `Randomness` in `CommitmentState`

* Add a comment

* Remove the extra loop

* Update the comment for `CommitmentState`

Co-authored-by: Marcin <marcin.gorny.94@protonmail.com>

* cargo fmt

---------

Co-authored-by: Marcin <marcin.gorny.94@protonmail.com>

* `batch_mul_with_preprocessing` no longer takes `self` as argument (#142)

* batch_mul_with_preprocessing no longer takes `self` as argument

* Apply suggestions from code review

Co-authored-by: Pratyush Mishra <pratyush795@gmail.com>

* fix variable name

---------

Co-authored-by: Pratyush Mishra <pratyush795@gmail.com>

* Remove `ChallengeGenerator` and `IOPTranscript` for Ligero (#57)

* Squash and merge `delete-chalgen` onto here

* Fix Ligero for `ChallengeGenerator` and `AsRef` for Merkle tree

* Fix tests: sponge config for univariate ligero

* Delete `IOPTranscript` for Ligero (#54)

* Replace the `IOPTranscript` with `CryptographicSponge`

* Delete extra comments

* Run fmt

* Fix tests: sponge config for univariate ligero

* Delete TODOs and do not absorb what you just squeezed

* Fix unused import

* Revert "Fix unused import"

This reverts commit e85af90.

* Try to fix

* Remove the extra loop

---------

Co-authored-by: mmagician <marcin.gorny.94@protonmail.com>
Co-authored-by: Pratyush Mishra <pratyush795@gmail.com>

* Add a few comments and update `Cargo.toml`

* Remove extra `cfg_iter!`

Co-authored-by: Pratyush Mishra <pratyush795@gmail.com>

* Change `pedersen_commit` and add `cfg_into_iter!`

* Hash and absorb

* BrakedownPCSParams need to be exported publicly

* only enable num-traits on aarch (#58)

* added Sync trait bound

Co-authored-by: Cesar Descalzo <Cesar199999@users.noreply.github.com>

* removed TODO

* Fixed error whereby boolean value returned by path.verify was neglected

Co-authored-by: Cesar Descalzo <Cesar199999@users.noreply.github.com>

Co-authored-by: mmagician <marcin.gorny.94@protonmail.com>

* removed unnecessary qualification which linter didn't like

* changed potential panic to returning Err, stopping early

Co-authored-by: Cesar Descalzo <Cesar199999@users.noreply.github.com>

* removed unnecessary function defined inside check()

Co-authored-by: Cesar Descalzo <Cesar199999@users.noreply.github.com>

* various minor fixes

* Add `ark-std` to patch

* Reorder Hyrax checks

Co-authored-by: Antonio Mejías Gil <anmegi.95@gmail.com>

* Add `ark-std` to patch

* Downgrade `hashbrown`

* Fix breaking change from algebra/poly (#72)

* Reorder deps

* Add dummy doc for nightly

* Fix `hashbrown` + Replace Blake2 by Blake3

* Revert to Blake2

* Fix merging issues

* Test if CI is happy

* Revert and cleanup

* Delete dummy doc

* Bring back `num_traits`

* Fix merge conflict for README.md

Co-authored-by: Pratyush Mishra <pratyush795@gmail.com>

* Add `/` to Cargo.toml

---------

Co-authored-by: Antonio Mejías Gil <anmegi.95@gmail.com>
Co-authored-by: mmagician <marcin.gorny.94@protonmail.com>
Co-authored-by: Pratyush Mishra <pratyush795@gmail.com>
Co-authored-by: Cesar Descalzo <Cesar199999@users.noreply.github.com>
Co-authored-by: Cesar199999 <cesar.descalzo2@gmail.com>

README.md

@@ -183,6 +183,7 @@ Unless you explicitly state otherwise, any contribution that you submit to this
 [aurora-light]: https://ia.cr/2019/601
 [pcd-acc]: https://ia.cr/2020/499
 [pst]: https://ia.cr/2011/587
+[brakedown]: https://ia.cr/2021/1043
 [ligero]: https://ia.cr/2022/1608
 [hyrax]: https://eprint.iacr.org/2017/1132
 
@@ -220,6 +221,10 @@ CCS 2017
 Riad S. Wahby, Ioanna Tzialla, abhi shelat, Justin Thaler, Michael Walfish
 2018 IEEE Symposium on Security and Privacy
 
+[Brakedown: Linear-time and field-agnostic SNARKs for R1CS][brakedown]    
+Alexander Golovnev, Jonathan Lee, Srinath Setty, Justin Thaler, Riad S. Wahby    
+CRYPTO 2023
+
 ## Acknowledgements
 
 This work was supported by: an Engineering and Physical Sciences Research Council grant; a Google Faculty Award; the RISELab at UC Berkeley; and donations from the Ethereum Foundation and the Interchain Foundation.

poly-commit/Cargo.toml

@@ -33,12 +33,16 @@ name = "ipa_times"
 path = "benches/ipa_times.rs"
 harness = false
 
+[[bench]]
+name = "brakedown_times"
+path = "benches/brakedown_ml_times.rs"
+harness = false
+
 [[bench]]
 name = "ligero_ml_times"
 path = "benches/ligero_ml_times.rs"
 harness = false
 
-
 [[bench]]
 name = "hyrax_times"
 path = "benches/hyrax_times.rs"

poly-commit/benches/brakedown_ml_times.rs

@@ -0,0 +1,59 @@
+use ark_crypto_primitives::{
+    crh::{sha256::Sha256, CRHScheme, TwoToOneCRHScheme},
+    merkle_tree::{ByteDigestConverter, Config},
+};
+use ark_pcs_bench_templates::*;
+use ark_poly::{DenseMultilinearExtension, MultilinearExtension};
+
+use ark_bn254::Fr;
+use ark_ff::PrimeField;
+
+use ark_poly_commit::linear_codes::{LinearCodePCS, MultilinearBrakedown};
+use blake2::Blake2s256;
+use rand_chacha::ChaCha20Rng;
+
+// Brakedown PCS over BN254
+struct MerkleTreeParams;
+type LeafH = LeafIdentityHasher;
+type CompressH = Sha256;
+impl Config for MerkleTreeParams {
+    type Leaf = Vec<u8>;
+
+    type LeafDigest = <LeafH as CRHScheme>::Output;
+    type LeafInnerDigestConverter = ByteDigestConverter<Self::LeafDigest>;
+    type InnerDigest = <CompressH as TwoToOneCRHScheme>::Output;
+
+    type LeafHash = LeafH;
+    type TwoToOneHash = CompressH;
+}
+
+pub type MLE<F> = DenseMultilinearExtension<F>;
+type MTConfig = MerkleTreeParams;
+type ColHasher<F> = FieldToBytesColHasher<F, Blake2s256>;
+type Brakedown<F> = LinearCodePCS<
+    MultilinearBrakedown<F, MTConfig, MLE<F>, ColHasher<F>>,
+    F,
+    MLE<F>,
+    MTConfig,
+    ColHasher<F>,
+>;
+
+fn rand_poly_brakedown_ml<F: PrimeField>(
+    num_vars: usize,
+    rng: &mut ChaCha20Rng,
+) -> DenseMultilinearExtension<F> {
+    DenseMultilinearExtension::rand(num_vars, rng)
+}
+
+fn rand_point_brakedown_ml<F: PrimeField>(num_vars: usize, rng: &mut ChaCha20Rng) -> Vec<F> {
+    (0..num_vars).map(|_| F::rand(rng)).collect()
+}
+
+const MIN_NUM_VARS: usize = 12;
+const MAX_NUM_VARS: usize = 22;
+
+bench!(
+    Brakedown<Fr>,
+    rand_poly_brakedown_ml,
+    rand_point_brakedown_ml
+);

poly-commit/src/error.rs

@@ -119,6 +119,9 @@ pub enum Error {
     /// Error resulting from hashing in linear code - based PCS.
     HashingError,
 
+    /// Shows that encoding is not feasible
+    EncodingError,
+
     /// This means a commitment with a certain label was matched with a
     /// a polynomial which has a different label - which shouldn't happen
     MismatchedLabels {
@@ -235,6 +238,7 @@ impl core::fmt::Display for Error {
             Error::TranscriptError => write!(f, "Incorrect transcript manipulation"),
             Error::InvalidParameters(err) => write!(f, "{}", err),
             Error::HashingError => write!(f, "Error resulting from hashing"),
+            Error::EncodingError => write!(f, "Encoding failed"),
             Error::MismatchedLabels { commitment_label, polynomial_label } =>
                 write!(f, "Mismatched labels: commitment label: {}, polynomial label: {}",
                     commitment_label,

poly-commit/src/lib.rs

@@ -131,6 +131,7 @@ pub mod streaming_kzg;
 /// Scheme based on the Ligero construction in [[Ligero]][ligero].
 ///
 /// [ligero]: https://eprint.iacr.org/2022/1608
+/// [brakedown]: https://eprint.iacr.org/2021/1043.pdf
 pub mod linear_codes;
 
 /// A polynomial commitment scheme based on the hardness of the