Merge master into constraints

Cargo.toml

@@ -43,6 +43,7 @@ ark-ed-on-bls12-381 = { version = "0.3", default-features = false }
 ark-bls12-381 = { version = "0.3", default-features = false, features = [ "curve" ] }
 ark-bls12-377 = { version = "0.3", default-features = false, features = [ "curve" ] }
 blake2 = { version = "0.9", default-features = false }
+rand_chacha = { version = "0.3.0", default-features = false }
 
 [profile.release]
 opt-level = 3

README.md

@@ -54,7 +54,7 @@ Unless you explicitly state otherwise, any contribution that you submit to this
 [sonic]: https://ia.cr/2019/099
 [aurora-light]: https://ia.cr/2019/601
 [pcd-acc]: https://ia.cr/2020/499
-[pst]: https://ia.cr.org/2011/587
+[pst]: https://ia.cr/2011/587
 
 ## Reference papers
 
@@ -78,8 +78,8 @@ EUROCRYPT 2020
 Benedikt Bünz, Alessandro Chiesa, [Pratyush Mishra](https://www.github.com/pratyush), Nicholas Spooner     
 TCC 2020
 
-[Signatures of Correct Computation][pst]
-Charalampos Papamanthou, Elaine Shi, Roberto Tamassia
+[Signatures of Correct Computation][pst]    
+Charalampos Papamanthou, Elaine Shi, Roberto Tamassia   
 TCC 2013
 
 ## Acknowledgements

src/README.md

@@ -0,0 +1,107 @@
+## Supported Polynomial Commitment Schemes
+
+The library supports four polynomial commitment schemes.
+
+### Inner-product-argument PC
+
+A polynomial commitment scheme based on the hardness of the discrete logarithm problem in prime-order groups. 
+
+The construction is described in the following paper.
+
+[pcd-acc]: https://ia.cr/2020/499
+
+[Proof-Carrying Data from Accumulation Schemes][pcd-acc]     
+Benedikt Bünz, Alessandro Chiesa, Pratyush Mishra, Nicholas Spooner     
+TCC 2020
+
+### Marlin variant of the Kate-Zaverucha-Goldberg PC
+
+[kzg10]: http://cacr.uwaterloo.ca/techreports/2010/cacr2010-10.pdf
+[marlin]: https://ia.cr/2019/1047
+
+Polynomial commitment based on the Kate-Zaverucha-Goldberg construction, with degree enforcement, batching, and (optional) hiding property taken from Marlin.
+
+The construction is described in the following paper.
+
+[Marlin: Preprocessing zkSNARKs with Universal and Updatable SRS][marlin]     
+Alessandro Chiesa, Yuncong Hu, Mary Maller, Pratyush Mishra, Noah Vesely, Nicholas Ward  
+EUROCRYPT 2020
+
+[Polynomial Commitments][kzg10]     
+Aniket Kate, Gregory M. Zaverucha, Ian Goldberg     
+ASIACRYPT 2010
+
+### Sonic/AuroraLight variant of the Kate-Zaverucha-Goldberg PC
+
+Polynomial commitment based on the Kate-Zaverucha-Goldberg construction, with degree enforcement and batching taken from Sonic (more precisely, their counterparts in AuroraLight that avoid negative G1 powers). The (optional) hiding property of the commitment scheme follows the approach described in Marlin.
+
+The construction is described in the following papers.
+
+[sonic]: https://ia.cr/2019/099
+[aurora-light]: https://ia.cr/2019/601
+
+[AuroraLight: Improved Prover Efficiency and SRS Size in a Sonic-Like System][aurora-light]     
+Ariel Gabizon     
+ePrint, 2019
+
+[Sonic: Zero-Knowledge SNARKs from Linear-Size Universal and Updateable Structured Reference Strings][sonic]     
+Mary Maller, Sean Bowe, Markulf Kohlweiss, Sarah Meiklejohn     
+CCS 2019
+
+[Marlin: Preprocessing zkSNARKs with Universal and Updatable SRS][marlin]     
+Alessandro Chiesa, Yuncong Hu, Mary Maller, Pratyush Mishra, Noah Vesely, Nicholas Ward  
+EUROCRYPT 2020
+
+[Polynomial Commitments][kzg10]     
+Aniket Kate, Gregory M. Zaverucha, Ian Goldberg     
+ASIACRYPT 2010
+
+### Marlin variant of the Papamanthou-Shi-Tamassia multivariate PC
+
+Multivariate polynomial commitment based on the construction in the Papamanthou-Shi-Tamassia construction with batching and (optional) hiding property inspired by the univariate scheme in Marlin.
+
+The construction is described in the following paper.
+
+[pst]: https://ia.cr/2011/587
+
+[Signatures of Correct Computation][pst]    
+Charalampos Papamanthou, Elaine Shi, Roberto Tamassia   
+TCC 2013
+
+[Marlin: Preprocessing zkSNARKs with Universal and Updatable SRS][marlin]     
+Alessandro Chiesa, Yuncong Hu, Mary Maller, Pratyush Mishra, Noah Vesely, Nicholas Ward  
+EUROCRYPT 2020
+
+## Comparison
+
+### Comparison of `MarlinKZG10` and `SonicKZG10`
+
+
+#### High-level:
+They handle degree bounds differently. 
+
+MarlinPC uses shift powers only in G1 and requires two commitments to enforce degree bounds.
+
+SonicPC uses shift powers in G1 and G2 and requires only one commitment to enforce degree bounds.
+
+#### Setup:
+
+SonicPC additionally computes some G2 elements for shift powers: `(1/\beta)^i H`. This results in a longer verifying key, as shift powers in SonicPC are in G2, while shift powers in Marlin are in G1, and are shared with the "non-shift" powers.
+
+#### Commit:
+
+When there is no degree bound, both are the same.
+
+When there is a degree bound, MarlinPC is more expensive: it needs an additional commitment to commit to the shifted poynomial. 
+
+#### Open: 
+
+When there is no degree bound, both are the same.
+
+When there is a degree bound, MarlinPC is slightly more expensive: it requires more scalar field computations.
+
+#### Check:
+
+MarlinPC simply adjusts the commitment of the shifted polynomial, so the overhead is small. It checks a pairing equation with two pairing operations.
+
+SonicPC is more expensive, as it checks a pairing equation of three pairing operations. It can be reduced into two if there is no degree bound.

src/ipa_pc/mod.rs

@@ -1044,23 +1044,31 @@ mod tests {
     use ark_ff::PrimeField;
     use ark_poly::{univariate::DensePolynomial as DensePoly, UVPolynomial};
     use ark_sponge::poseidon::PoseidonSponge;
-    use ark_std::rand::rngs::StdRng;
     use blake2::Blake2s;
+    use rand_chacha::ChaCha20Rng;
 
     type UniPoly = DensePoly<Fr>;
     type Sponge = PoseidonSponge<<EdwardsAffine as AffineCurve>::ScalarField>;
     type PC<E, D, P, S> = InnerProductArgPC<E, D, P, S>;
     type PC_JJB2S = PC<EdwardsAffine, Blake2s, UniPoly, Sponge>;
 
-    fn rand_poly<F: PrimeField>(degree: usize, _: Option<usize>, rng: &mut StdRng) -> DensePoly<F> {
+    fn rand_poly<F: PrimeField>(
+        degree: usize,
+        _: Option<usize>,
+        rng: &mut ChaCha20Rng,
+    ) -> DensePoly<F> {
         DensePoly::rand(degree, rng)
     }
 
-    fn constant_poly<F: PrimeField>(_: usize, _: Option<usize>, rng: &mut StdRng) -> DensePoly<F> {
+    fn constant_poly<F: PrimeField>(
+        _: usize,
+        _: Option<usize>,
+        rng: &mut ChaCha20Rng,
+    ) -> DensePoly<F> {
         DensePoly::from_coefficients_slice(&[F::rand(rng)])
     }
 
-    fn rand_point<F: PrimeField>(_: Option<usize>, rng: &mut StdRng) -> F {
+    fn rand_point<F: PrimeField>(_: Option<usize>, rng: &mut ChaCha20Rng) -> F {
         F::rand(rng)
     }
 

src/kzg10/data_structures.rs

@@ -11,7 +11,12 @@ use ark_std::{
 
 /// `UniversalParams` are the universal parameters for the KZG10 scheme.
 #[derive(Derivative)]
-#[derivative(Clone(bound = ""), Debug(bound = ""))]
+#[derivative(
+    Clone(bound = ""),
+    Debug(bound = ""),
+    PartialEq(bound = ""),
+    Eq(bound = "")
+)]
 pub struct UniversalParams<E: PairingEngine> {
     /// Group elements of the form `{ \beta^i G }`, where `i` ranges from 0 to `degree`.
     pub powers_of_g: Vec<E::G1Affine>,
@@ -24,10 +29,10 @@ pub struct UniversalParams<E: PairingEngine> {
     /// Group elements of the form `{ \beta^i G2 }`, where `i` ranges from `0` to `-degree`.
     pub neg_powers_of_h: BTreeMap<usize, E::G2Affine>,
     /// The generator of G2, prepared for use in pairings.
-    #[derivative(Debug = "ignore")]
+    #[derivative(Debug = "ignore", PartialEq = "ignore")]
     pub prepared_h: E::G2Prepared,
     /// \beta times the above generator of G2, prepared for use in pairings.
-    #[derivative(Debug = "ignore")]
+    #[derivative(Debug = "ignore", PartialEq = "ignore")]
     pub prepared_beta_h: E::G2Prepared,
 }
 
@@ -153,7 +158,8 @@ impl<E: PairingEngine> CanonicalDeserialize for UniversalParams<E> {
     Default(bound = ""),
     Hash(bound = ""),
     Clone(bound = ""),
-    Debug(bound = "")
+    Debug(bound = ""),
+    PartialEq
 )]
 pub struct Powers<'a, E: PairingEngine> {
     /// Group elements of the form `β^i G`, for different values of `i`.
@@ -169,9 +175,64 @@ impl<E: PairingEngine> Powers<'_, E> {
     }
 }
 
+impl<'a, E: PairingEngine> CanonicalSerialize for Powers<'a, E> {
+    fn serialize<W: Write>(&self, mut writer: W) -> Result<(), SerializationError> {
+        self.powers_of_g.serialize(&mut writer)?;
+        self.powers_of_gamma_g.serialize(&mut writer)
+    }
+
+    fn serialized_size(&self) -> usize {
+        self.powers_of_g.serialized_size() + self.powers_of_gamma_g.serialized_size()
+    }
+
+    fn serialize_unchecked<W: Write>(&self, mut writer: W) -> Result<(), SerializationError> {
+        self.powers_of_g.serialize_unchecked(&mut writer)?;
+        self.powers_of_gamma_g.serialize_unchecked(&mut writer)
+    }
+
+    fn serialize_uncompressed<W: Write>(&self, mut writer: W) -> Result<(), SerializationError> {
+        self.powers_of_g.serialize_uncompressed(&mut writer)?;
+        self.powers_of_gamma_g.serialize_uncompressed(&mut writer)
+    }
+}
+
+impl<'a, E: PairingEngine> CanonicalDeserialize for Powers<'a, E> {
+    fn deserialize<R: Read>(mut reader: R) -> Result<Self, SerializationError> {
+        let powers_of_g = Vec::<E::G1Affine>::deserialize(&mut reader)?;
+        let powers_of_gamma_g = Vec::<E::G1Affine>::deserialize(&mut reader)?;
+        Ok(Self {
+            powers_of_g: Cow::Owned(powers_of_g),
+            powers_of_gamma_g: Cow::Owned(powers_of_gamma_g),
+        })
+    }
+
+    fn deserialize_unchecked<R: Read>(mut reader: R) -> Result<Self, SerializationError> {
+        let powers_of_g = Vec::<E::G1Affine>::deserialize_unchecked(&mut reader)?;
+        let powers_of_gamma_g = Vec::<E::G1Affine>::deserialize_unchecked(&mut reader)?;
+        Ok(Self {
+            powers_of_g: Cow::Owned(powers_of_g),
+            powers_of_gamma_g: Cow::Owned(powers_of_gamma_g),
+        })
+    }
+
+    fn deserialize_uncompressed<R: Read>(mut reader: R) -> Result<Self, SerializationError> {
+        let powers_of_g = Vec::<E::G1Affine>::deserialize_uncompressed(&mut reader)?;
+        let powers_of_gamma_g = Vec::<E::G1Affine>::deserialize_uncompressed(&mut reader)?;
+        Ok(Self {
+            powers_of_g: Cow::Owned(powers_of_g),
+            powers_of_gamma_g: Cow::Owned(powers_of_gamma_g),
+        })
+    }
+}
 /// `VerifierKey` is used to check evaluation proofs for a given commitment.
 #[derive(Derivative)]
-#[derivative(Default(bound = ""), Clone(bound = ""), Debug(bound = ""))]
+#[derivative(
+    Default(bound = ""),
+    Clone(bound = ""),
+    Debug(bound = ""),
+    PartialEq(bound = ""),
+    Eq(bound = "")
+)]
 pub struct VerifierKey<E: PairingEngine> {
     /// The generator of G1.
     pub g: E::G1Affine,
@@ -182,10 +243,10 @@ pub struct VerifierKey<E: PairingEngine> {
     /// \beta times the above generator of G2.
     pub beta_h: E::G2Affine,
     /// The generator of G2, prepared for use in pairings.
-    #[derivative(Debug = "ignore")]
+    #[derivative(Debug = "ignore", PartialEq = "ignore")]
     pub prepared_h: E::G2Prepared,
     /// \beta times the above generator of G2, prepared for use in pairings.
-    #[derivative(Debug = "ignore")]
+    #[derivative(Debug = "ignore", PartialEq = "ignore")]
     pub prepared_beta_h: E::G2Prepared,
 }