Merge branch 'ligero-uni-and-ml' into brakedown

CHANGELOG.md

@@ -13,6 +13,7 @@
 - [\#82](https://github.com/arkworks-rs/poly-commit/pull/82) Add multivariate opening challenge strategy. Integrate with sponge API.
 
 ### Improvements
+- [\#152](https://github.com/arkworks-rs/poly-commit/issues/152) Expose `kzg10::open_with_witness_polynomial` and `open` downstream.
 
 ### Bug fixes
 

Cargo.toml

@@ -28,6 +28,7 @@ incremental = true
 debug = true
 
 [patch.crates-io]
+ark-std = { git = "https://github.com/arkworks-rs/std/" }
 ark-ff = { git = "https://github.com/arkworks-rs/algebra/" }
 ark-ec = { git = "https://github.com/arkworks-rs/algebra/" }
 ark-serialize = { git = "https://github.com/arkworks-rs/algebra/" }
@@ -36,6 +37,6 @@ ark-poly = { git = "https://github.com/arkworks-rs/algebra/" }
 ark-crypto-primitives = { git = "https://github.com/arkworks-rs/crypto-primitives" }
 ark-r1cs-std = { git = "https://github.com/arkworks-rs/r1cs-std/" }
 
-ark-bls12-377 = { git = "https://github.com/arkworks-rs/curves/" }
-ark-bls12-381 = { git = "https://github.com/arkworks-rs/curves/" }
-ark-bn254 = { git = "https://github.com/arkworks-rs/curves/" }
+ark-bls12-377 = { git = "https://github.com/arkworks-rs/algebra/" }
+ark-bls12-381 = { git = "https://github.com/arkworks-rs/algebra/" }
+ark-bn254 = { git = "https://github.com/arkworks-rs/algebra/" }

README.md

@@ -69,8 +69,7 @@ use rand_chacha::ChaCha20Rng;
 use ark_ff::PrimeField;
 
 type UniPoly_377 = DensePolynomial<<Bls12_377 as Pairing>::ScalarField>;
-type Sponge_Bls12_377 = PoseidonSponge<<Bls12_377 as Pairing>::ScalarField>;
-type PCS = MarlinKZG10<Bls12_377, UniPoly_377, Sponge_Bls12_377>;
+type PCS = MarlinKZG10<Bls12_377, UniPoly_377>;
 
 let rng = &mut test_rng();
 
@@ -184,7 +183,12 @@ Unless you explicitly state otherwise, any contribution that you submit to this
 [aurora-light]: https://ia.cr/2019/601
 [pcd-acc]: https://ia.cr/2020/499
 [pst]: https://ia.cr/2011/587
+<<<<<<< HEAD
 [brakedown]: https://ia.cr/2021/1043
+=======
+[ligero]: https://ia.cr/2022/1608
+[hyrax]: https://eprint.iacr.org/2017/1132
+>>>>>>> ligero-uni-and-ml
 
 ## Reference papers
 
@@ -212,6 +216,14 @@ TCC 2020
 Charalampos Papamanthou, Elaine Shi, Roberto Tamassia   
 TCC 2013
 
+[Ligero: Lightweight Sublinear Arguments Without a Trusted Setup][ligero]    
+Scott Ames, Carmit Hazay, Yuval Ishai, Muthuramakrishnan Venkitasubramaniam    
+CCS 2017
+
+[Doubly-efficient zkSNARKs without trusted setup][hyrax]
+Riad S. Wahby, Ioanna Tzialla, abhi shelat, Justin Thaler, Michael Walfish
+2018 IEEE Symposium on Security and Privacy
+
 [Brakedown: Linear-time and field-agnostic SNARKs for R1CS][brakedown]    
 Alexander Golovnev, Jonathan Lee, Srinath Setty, Justin Thaler, Riad S. Wahby    
 CRYPTO 2023

bench-templates/src/lib.rs

@@ -22,14 +22,13 @@ use ark_poly_commit::{to_bytes, LabeledPolynomial, PolynomialCommitment};
 pub use criterion::*;
 pub use paste::paste;
 
-/// Measure the time cost of {commit/open/verify} across a range of num_vars
-pub fn bench_pcs_method<
-    F: PrimeField,
-    P: Polynomial<F>,
-    PCS: PolynomialCommitment<F, P, PoseidonSponge<F>>,
->(
+/// Measure the time cost of `method` (i.e., commit/open/verify) of a
+/// multilinear PCS for all `num_vars` specified in `nv_list`.
+/// `rand_poly` is a function that outputs a random multilinear polynomial.
+/// `rand_point` is a function that outputs a random point in the domain of polynomial.
+pub fn bench_pcs_method<F: PrimeField, P: Polynomial<F>, PCS: PolynomialCommitment<F, P>>(
     c: &mut Criterion,
-    range: Vec<usize>,
+    nv_list: Vec<usize>,
     msg: &str,
     method: impl Fn(
         &PCS::CommitterKey,
@@ -44,7 +43,7 @@ pub fn bench_pcs_method<
     let mut group = c.benchmark_group(msg);
     let rng = &mut ChaCha20Rng::from_rng(test_rng()).unwrap();
 
-    for num_vars in range {
+    for num_vars in nv_list {
         let pp = PCS::setup(num_vars, Some(num_vars), rng).unwrap();
         let (ck, vk) = PCS::trim(&pp, num_vars, num_vars, None).unwrap();
 
@@ -67,11 +66,7 @@ pub fn bench_pcs_method<
 }
 
 /// Report the time cost of a commitment
-pub fn commit<
-    F: PrimeField,
-    P: Polynomial<F>,
-    PCS: PolynomialCommitment<F, P, PoseidonSponge<F>>,
->(
+pub fn commit<F: PrimeField, P: Polynomial<F>, PCS: PolynomialCommitment<F, P>>(
     ck: &PCS::CommitterKey,
     _vk: &PCS::VerifierKey,
     num_vars: usize,
@@ -89,11 +84,7 @@ pub fn commit<
 }
 
 /// Report the size of a commitment
-pub fn commitment_size<
-    F: PrimeField,
-    P: Polynomial<F>,
-    PCS: PolynomialCommitment<F, P, PoseidonSponge<F>>,
->(
+pub fn commitment_size<F: PrimeField, P: Polynomial<F>, PCS: PolynomialCommitment<F, P>>(
     num_vars: usize,
     rand_poly: fn(usize, &mut ChaCha20Rng) -> P,
 ) -> usize {
@@ -122,7 +113,7 @@ pub fn open<F, P, PCS>(
 where
     F: PrimeField,
     P: Polynomial<F>,
-    PCS: PolynomialCommitment<F, P, PoseidonSponge<F>>,
+    PCS: PolynomialCommitment<F, P>,
 {
     let rng = &mut ChaCha20Rng::from_rng(test_rng()).unwrap();
 
@@ -138,7 +129,7 @@ where
         [&labeled_poly],
         &coms,
         &point,
-        &mut test_sponge(),
+        &mut test_sponge::<F>(),
         &states,
         Some(rng),
     )
@@ -151,8 +142,7 @@ pub fn proof_size<F, P, PCS>(num_vars: usize, rand_poly: fn(usize, &mut ChaCha20
 where
     F: PrimeField,
     P: Polynomial<F>,
-    PCS: PolynomialCommitment<F, P, PoseidonSponge<F>>,
-
+    PCS: PolynomialCommitment<F, P>,
     P::Point: UniformRand,
 {
     let rng = &mut ChaCha20Rng::from_rng(test_rng()).unwrap();
@@ -171,7 +161,7 @@ where
         [&labeled_poly],
         &coms,
         &point,
-        &mut test_sponge(),
+        &mut test_sponge::<F>(),
         &states,
         Some(rng),
     )
@@ -193,7 +183,7 @@ pub fn verify<F, P, PCS>(
 where
     F: PrimeField,
     P: Polynomial<F>,
-    PCS: PolynomialCommitment<F, P, PoseidonSponge<F>>,
+    PCS: PolynomialCommitment<F, P>,
 {
     let rng = &mut ChaCha20Rng::from_rng(test_rng()).unwrap();
 
@@ -208,7 +198,7 @@ where
         [&labeled_poly],
         &coms,
         &point,
-        &mut test_sponge(),
+        &mut test_sponge::<F>(),
         &states,
         Some(rng),
     )
@@ -221,7 +211,7 @@ where
         &point,
         [claimed_eval],
         &proof,
-        &mut test_sponge(),
+        &mut test_sponge::<F>(),
         None,
     )
     .unwrap();

poly-commit/Cargo.toml

@@ -16,13 +16,17 @@ ark-poly = {version = "^0.4.0", default-features = false }
 ark-crypto-primitives = {version = "^0.4.0", default-features = false, features = ["sponge", "merkle_tree"] }
 ark-std = { version = "^0.4.0", default-features = false }
 
+blake2 = { version = "0.10", default-features = false }
+derivative = { version = "2", features = [ "use_core" ] }
+digest = "0.10"
+
 ark-relations = { version = "^0.4.0", default-features = false, optional = true }
 ark-r1cs-std = { version = "^0.4.0", default-features = false, optional = true }
-hashbrown = { version = "0.14", default-features = false, optional = true }
 
-digest = "0.10"
-derivative = { version = "2", features = [ "use_core" ] }
+hashbrown = { version = "0.15", default-features = false, features = ["inline-more", "allocator-api2"], optional = true }
+rand = { version = "0.8.0", optional = true }
 rayon = { version = "1", optional = true }
+merlin = { version = "3.0.0", default-features = false }
 
 [[bench]]
 name = "ipa_times"
@@ -34,17 +38,32 @@ name = "brakedown_times"
 path = "benches/brakedown_ml_times.rs"
 harness = false
 
+[[bench]]
+name = "ligero_ml_times"
+path = "benches/ligero_ml_times.rs"
+harness = false
+
+[[bench]]
+name = "hyrax_times"
+path = "benches/hyrax_times.rs"
+harness = false
+
 [[bench]]
 name = "size"
 path = "benches/size.rs"
 harness = false
 
+[target.'cfg(all(target_has_atomic = "8", target_has_atomic = "16", target_has_atomic = "32", target_has_atomic = "64", target_has_atomic = "ptr"))'.dependencies]
+ahash = { version = "0.8", default-features = false}
+
+[target.'cfg(not(all(target_has_atomic = "8", target_has_atomic = "16", target_has_atomic = "32", target_has_atomic = "64", target_has_atomic = "ptr")))'.dependencies]
+fnv = { version = "1.0", default-features = false }
+
 [dev-dependencies]
 ark-ed-on-bls12-381 = { version = "^0.4.0", default-features = false }
 ark-bls12-381 = { version = "^0.4.0", default-features = false, features = [ "curve" ] }
 ark-bls12-377 = { version = "^0.4.0", default-features = false, features = [ "curve" ] }
 ark-bn254 = { version = "^0.4.0", default-features = false, features = [ "curve" ] }
-blake2 = { version = "0.10", default-features = false }
 rand_chacha = { version = "0.3.0", default-features = false }
 ark-pcs-bench-templates = { path = "../bench-templates" }
 
@@ -56,4 +75,4 @@ default = [ "std", "parallel" ]
 std = [ "ark-ff/std", "ark-ec/std", "ark-poly/std", "ark-std/std", "ark-relations/std", "ark-serialize/std", "ark-crypto-primitives/std"]
 r1cs = [ "ark-relations", "ark-r1cs-std", "hashbrown", "ark-crypto-primitives/r1cs"]
 print-trace = [ "ark-std/print-trace" ]
-parallel = [ "std", "ark-ff/parallel", "ark-ec/parallel", "ark-poly/parallel", "ark-std/parallel", "rayon" ]
+parallel = [ "std", "ark-ff/parallel", "ark-ec/parallel", "ark-poly/parallel", "ark-std/parallel", "rayon", "rand" ]

poly-commit/README.md

@@ -56,6 +56,16 @@ EUROCRYPT 2020
 Aniket Kate, Gregory M. Zaverucha, Ian Goldberg     
 ASIACRYPT 2010
 
+### Hyrax multilinear PC
+
+Polynomial commitment scheme introduced together with the Hyrax zkSNARK (in [this](https://eprint.iacr.org/2017/1132) article). It is based on Pedersen commitments and therefore relies on the difficulty of the discrete logarithm problem in order to provide a hiding PCS.
+
+[Doubly-efficient zkSNARKs without trusted setup][hyrax]
+Riad S. Wahby, Ioanna Tzialla, abhi shelat, Justin Thaler, Michael Walfish
+2018 IEEE Symposium on Security and Privacy
+
+[hyrax]: https://eprint.iacr.org/2017/1132
+
 ### Marlin variant of the Papamanthou-Shi-Tamassia multivariate PC
 
 Multivariate polynomial commitment based on the construction in the Papamanthou-Shi-Tamassia construction with batching and (optional) hiding property inspired by the univariate scheme in Marlin.

poly-commit/benches/brakedown_ml_times.rs

@@ -1,7 +1,6 @@
 use ark_crypto_primitives::{
     crh::{sha256::Sha256, CRHScheme, TwoToOneCRHScheme},
     merkle_tree::{ByteDigestConverter, Config},
-    sponge::poseidon::PoseidonSponge,
 };
 use ark_pcs_bench_templates::*;
 use ark_poly::{DenseMultilinearExtension, MultilinearExtension};
@@ -30,13 +29,11 @@ impl Config for MerkleTreeParams {
 
 pub type MLE<F> = DenseMultilinearExtension<F>;
 type MTConfig = MerkleTreeParams;
-type Sponge<F> = PoseidonSponge<F>;
 type ColHasher<F> = FieldToBytesColHasher<F, Blake2s256>;
 type Brakedown<F> = LinearCodePCS<
-    MultilinearBrakedown<F, MTConfig, Sponge<F>, MLE<F>, ColHasher<F>>,
+    MultilinearBrakedown<F, MTConfig, MLE<F>, ColHasher<F>>,
     F,
     MLE<F>,
-    Sponge<F>,
     MTConfig,
     ColHasher<F>,
 >;

poly-commit/benches/hyrax_times.rs

@@ -0,0 +1,27 @@
+use ark_pcs_bench_templates::*;
+use ark_poly::{DenseMultilinearExtension, MultilinearExtension};
+
+use ark_bn254::{Fr, G1Affine};
+use ark_ff::PrimeField;
+use ark_poly_commit::hyrax::HyraxPC;
+
+use rand_chacha::ChaCha20Rng;
+
+// Hyrax PCS over BN254
+type Hyrax254 = HyraxPC<G1Affine, DenseMultilinearExtension<Fr>>;
+
+fn rand_poly_hyrax<F: PrimeField>(
+    num_vars: usize,
+    rng: &mut ChaCha20Rng,
+) -> DenseMultilinearExtension<F> {
+    DenseMultilinearExtension::rand(num_vars, rng)
+}
+
+fn rand_point_hyrax<F: PrimeField>(num_vars: usize, rng: &mut ChaCha20Rng) -> Vec<F> {
+    (0..num_vars).map(|_| F::rand(rng)).collect()
+}
+
+const MIN_NUM_VARS: usize = 12;
+const MAX_NUM_VARS: usize = 22;
+
+bench!(Hyrax254, rand_poly_hyrax, rand_point_hyrax);

poly-commit/benches/ipa_times.rs

@@ -1,9 +1,7 @@
-use ark_ec::AffineRepr;
 use ark_pcs_bench_templates::*;
 use ark_poly::DenseUVPolynomial;
 use blake2::Blake2s256;
 
-use ark_crypto_primitives::sponge::poseidon::PoseidonSponge;
 use ark_ed_on_bls12_381::{EdwardsAffine, Fr};
 use ark_ff::PrimeField;
 use ark_poly::univariate::DensePolynomial as DenseUnivariatePoly;
@@ -12,11 +10,10 @@ use ark_poly_commit::ipa_pc::InnerProductArgPC;
 use rand_chacha::ChaCha20Rng;
 
 type UniPoly = DenseUnivariatePoly<Fr>;
-type Sponge = PoseidonSponge<<EdwardsAffine as AffineRepr>::ScalarField>;
 
 // IPA_PC over the JubJub curve with Blake2s as the hash function
 #[allow(non_camel_case_types)]
-type IPA_JubJub = InnerProductArgPC<EdwardsAffine, Blake2s256, UniPoly, Sponge>;
+type IPA_JubJub = InnerProductArgPC<EdwardsAffine, Blake2s256, UniPoly>;
 
 fn rand_poly_ipa_pc<F: PrimeField>(degree: usize, rng: &mut ChaCha20Rng) -> DenseUnivariatePoly<F> {
     DenseUnivariatePoly::rand(degree, rng)

poly-commit/benches/ligero_ml_times.rs

@@ -0,0 +1,55 @@
+use ark_crypto_primitives::{
+    crh::{sha256::Sha256, CRHScheme, TwoToOneCRHScheme},
+    merkle_tree::{ByteDigestConverter, Config},
+};
+use ark_pcs_bench_templates::*;
+use ark_poly::{DenseMultilinearExtension, MultilinearExtension};
+
+use ark_bn254::Fr;
+use ark_ff::PrimeField;
+
+use ark_poly_commit::linear_codes::{LinearCodePCS, MultilinearLigero};
+use blake2::Blake2s256;
+use rand_chacha::ChaCha20Rng;
+
+// Ligero PCS over BN254
+struct MerkleTreeParams;
+type LeafH = LeafIdentityHasher;
+type CompressH = Sha256;
+impl Config for MerkleTreeParams {
+    type Leaf = Vec<u8>;
+
+    type LeafDigest = <LeafH as CRHScheme>::Output;
+    type LeafInnerDigestConverter = ByteDigestConverter<Self::LeafDigest>;
+    type InnerDigest = <CompressH as TwoToOneCRHScheme>::Output;
+
+    type LeafHash = LeafH;
+    type TwoToOneHash = CompressH;
+}
+
+pub type MLE<F> = DenseMultilinearExtension<F>;
+type MTConfig = MerkleTreeParams;
+type ColHasher<F> = FieldToBytesColHasher<F, Blake2s256>;
+type Ligero<F> = LinearCodePCS<
+    MultilinearLigero<F, MTConfig, MLE<F>, ColHasher<F>>,
+    F,
+    MLE<F>,
+    MTConfig,
+    ColHasher<F>,
+>;
+
+fn rand_poly_ligero_ml<F: PrimeField>(
+    num_vars: usize,
+    rng: &mut ChaCha20Rng,
+) -> DenseMultilinearExtension<F> {
+    DenseMultilinearExtension::rand(num_vars, rng)
+}
+
+fn rand_point_ligero_ml<F: PrimeField>(num_vars: usize, rng: &mut ChaCha20Rng) -> Vec<F> {
+    (0..num_vars).map(|_| F::rand(rng)).collect()
+}
+
+const MIN_NUM_VARS: usize = 12;
+const MAX_NUM_VARS: usize = 22;
+
+bench!(Ligero<Fr>, rand_poly_ligero_ml, rand_point_ligero_ml);