snarkpack integration

Author: maramihali

Cargo.toml

@@ -42,6 +42,8 @@ ark-groth16 = { version = "^0.3.0", features = ["r1cs"] }
 ark-bw6-761 = { version = "^0.3.0" }
 ark-poly-commit = { version = "^0.3.0" }
 ark-poly = {version = "^0.3.0"}
+snarkpack = { path="../snarkpack"}
+
 
 lazy_static = "1.4.0"
 rand = { version = "0.8", features = [ "std", "std_rng" ] }
@@ -91,5 +93,6 @@ std = ["ark-ff/std", "ark-ec/std", "ark-std/std", "ark-relations/std", "ark-seri
 
 [patch.crates-io]
 ark-r1cs-std = { git = "https://github.com/arkworks-rs/r1cs-std/", rev = "a2a5ac491ae005ba2afd03fd21b7d3160d794a83"}
-ark-poly-commit = {git = "https://github.com/maramihali/poly-commit"}
+ark-poly-commit = {git = "https://github.com/maramihali/poly-commit", branch="pst_g2"}
+
 

src/constraints.rs

@@ -393,15 +393,13 @@ impl ConstraintSynthesizer<Fr> for R1CSVerificationCircuit {
 
     let expected_claim_post_phase2_var = eval_Z_at_ry_var * scalar_var;
     claim_post_phase2_var.enforce_equal(&expected_claim_post_phase2_var)?;
-
     let expected_transcript_state_var = transcript_var.challenge()?;
     let claimed_transcript_state_var =
       FpVar::<Fr>::new_input(cs, || Ok(self.claimed_transcript_sat_state))?;
 
     // Ensure that the prover and verifier transcipt views are consistent at
     // the end of the satisfiability proof.
     expected_transcript_state_var.enforce_equal(&claimed_transcript_state_var)?;
-
     Ok(())
   }
 }

src/lib.rs

@@ -407,7 +407,7 @@ impl SNARK {
     // side all the previous updates are done on the transcript
     // circuit variable and the transcript outside the circuit will be
     // inconsistent wrt to the prover's.
-    transcript.new_from_state(&r1cs_sat_proof.transcript_sat_state);
+    // transcript.new_from_state(&r1cs_sat_proof.transcript_sat_state);
 
     // We send evaluations of A, B, C at r = (rx, ry) as claims
     // to enable the verifier complete the first sum-check
@@ -480,7 +480,7 @@ impl SNARK {
     // TODO: find a way to retrieve this state from the circuit. Currently
     // the API for generating constraints doesn't support returning values
     // computed inside the circuit.
-    transcript.new_from_state(&self.r1cs_sat_proof.transcript_sat_state);
+    // transcript.new_from_state(&self.r1cs_sat_proof.transcript_sat_state);
 
     let (Ar, Br, Cr) = &self.inst_evals;
     transcript.append_scalar(&Ar);
@@ -598,10 +598,10 @@ impl NIZK {
 
     // We send evaluations of A, B, C at r = (rx, ry) as claims
     // to enable the verifier complete the first sum-check
-    let timer_eval = Timer::new("eval_sparse_polys");
+    // let timer_eval = Timer::new("eval_sparse_polys");
     let (claimed_rx, claimed_ry) = &self.r;
     let inst_evals = inst.inst.evaluate(claimed_rx, claimed_ry);
-    timer_eval.stop();
+    // timer_eval.stop();
 
     let timer_sat_proof = Timer::new("verify_sat_proof");
     assert_eq!(input.assignment.len(), inst.inst.get_num_inputs());

src/poseidon_transcript.rs

@@ -1,14 +1,16 @@
 use crate::group::{CompressedGroup, Fr};
 
 use super::scalar::Scalar;
-use ark_bls12_377::Bls12_377 as I;
+use ark_bls12_377::{Bls12_377 as I, G1Affine};
+use ark_ec::PairingEngine;
+use ark_ff::{Field, PrimeField};
 use ark_poly_commit::multilinear_pc::data_structures::Commitment;
 use ark_serialize::CanonicalSerialize;
-// use ark_r1cs_std::prelude::*;
 use ark_sponge::{
   poseidon::{PoseidonParameters, PoseidonSponge},
   CryptographicSponge,
 };
+use snarkpack::Transcript;
 
 #[derive(Clone)]
 /// TODO
@@ -17,6 +19,22 @@ pub struct PoseidonTranscript {
   params: PoseidonParameters<Fr>,
 }
 
+impl Transcript for PoseidonTranscript {
+  fn domain_sep(&mut self) {
+    self.sponge.absorb(&b"testudo".to_vec());
+  }
+
+  fn append<S: CanonicalSerialize>(&mut self, label: &'static [u8], point: &S) {
+    let mut buf = Vec::new();
+    point.serialize(&mut buf).expect("serialization failed");
+    self.sponge.absorb(&buf);
+  }
+
+  fn challenge_scalar<F: PrimeField>(&mut self, label: &'static [u8]) -> F {
+    self.sponge.squeeze_field_elements(1).remove(0)
+  }
+}
+
 impl PoseidonTranscript {
   /// create a new transcript
   pub fn new(params: &PoseidonParameters<Fr>) -> Self {
@@ -56,6 +74,12 @@ impl PoseidonTranscript {
     }
   }
 
+  pub fn append_gt(&mut self, g_t: &<I as PairingEngine>::Fqk) {
+    let mut bytes = Vec::new();
+    g_t.serialize(&mut bytes).unwrap();
+    self.append_bytes(&bytes);
+  }
+
   pub fn challenge_scalar(&mut self) -> Scalar {
     self.sponge.squeeze_field_elements(1).remove(0)
   }
@@ -82,3 +106,11 @@ impl AppendToPoseidon for Commitment<I> {
     transcript.append_bytes(&bytes);
   }
 }
+
+impl AppendToPoseidon for G1Affine {
+  fn append_to_poseidon(&self, transcript: &mut PoseidonTranscript) {
+    let mut bytes = Vec::new();
+    self.serialize(&mut bytes).unwrap();
+    transcript.append_bytes(&bytes);
+  }
+}

src/r1csproof.rs

@@ -4,14 +4,15 @@ use crate::group::{Fq, Fr};
 use crate::math::Math;
 use crate::parameters::poseidon_params;
 use crate::poseidon_transcript::{AppendToPoseidon, PoseidonTranscript};
-use crate::sqrt_pst::PolyList;
+use crate::sqrt_pst::Polynomial;
 use crate::sumcheck::SumcheckInstanceProof;
 use ark_bls12_377::Bls12_377 as I;
 use ark_bw6_761::BW6_761 as P;
 use ark_ec::PairingEngine;
 use ark_poly::MultilinearExtension;
 use ark_poly_commit::multilinear_pc::data_structures::{Commitment, Proof};
 use ark_poly_commit::multilinear_pc::MultilinearPC;
+use snarkpack::mipp::MippProof;
 
 use super::commitments::MultiCommitGens;
 use super::dense_mlpoly::{DensePolynomial, EqPolynomial, PolyCommitmentGens};
@@ -45,6 +46,7 @@ pub struct R1CSProof {
   // The transcript state after the satisfiability proof was computed.
   pub transcript_sat_state: Scalar,
   pub t: <I as PairingEngine>::Fqk,
+  pub mipp_proof: MippProof<I>,
 }
 #[derive(Clone)]
 pub struct R1CSSumcheckGens {
@@ -146,12 +148,12 @@ impl R1CSProof {
 
     // create the multilinear witness polynomial from the satisfying assiment
     // expressed as the list of sqrt-sized polynomials
-    let pl = PolyList::new(&vars.clone());
+    let mut pl = Polynomial::from_evaluations(&vars.clone());
 
     let timer_commit = Timer::new("polycommit");
 
     // commitment list to the satisfying witness polynomial list
-    let (comm_list, t) = PolyList::commit(&pl, &gens.gens_pc.ck);
+    let (comm_list, t) = pl.commit(&gens.gens_pc.ck);
 
     let mut bytes = Vec::new();
     t.serialize(&mut bytes).unwrap();
@@ -237,31 +239,28 @@ impl R1CSProof {
       transcript,
     );
     timer_sc_proof_phase2.stop();
+    let c = transcript.challenge_scalar();
+    transcript.new_from_state(&c);
 
     // TODO: modify the polynomial evaluation in Spartan to be consistent
     // with the evaluation in ark-poly-commit so that reversing is not needed
     // anymore
     let timmer_opening = Timer::new("polyopening");
-    let mut dummy = ry[1..].to_vec().clone();
-    dummy.reverse();
-    let q = pl.get_q(&dummy);
+    timer_prove.stop();
 
-    let (comm, proof_eval_vars_at_ry) = PolyList::open_q(comm_list, &gens.gens_pc.ck, &q, &dummy);
+    let (comm, proof_eval_vars_at_ry, mipp_proof) =
+      pl.open(transcript, comm_list, &gens.gens_pc.ck, &ry[1..], &t);
     println!(
       "proof size (no of quotients): {:?}",
       proof_eval_vars_at_ry.proofs.len()
     );
-    // comm.append_to_poseidon(transcript);
+
     timmer_opening.stop();
 
     let timer_polyeval = Timer::new("polyeval");
-    let eval_vars_at_ry = PolyList::eval_q(q.clone(), &dummy);
+    let eval_vars_at_ry = pl.eval(&ry[1..]);
     timer_polyeval.stop();
 
-    timer_prove.stop();
-
-    let c = transcript.challenge_scalar();
-
     (
       R1CSProof {
         comm,
@@ -273,7 +272,8 @@ impl R1CSProof {
         rx: rx.clone(),
         ry: ry.clone(),
         transcript_sat_state: c,
-        t: t,
+        t,
+        mipp_proof,
       },
       rx,
       ry,
@@ -333,6 +333,7 @@ impl R1CSProof {
     let dp1 = start.elapsed().as_millis();
     prove_inner.stop();
 
+    // this is universal, we don't measure it
     let start = Instant::now();
     let (pk, vk) = Groth16::<P>::setup(circuit.clone(), &mut rng).unwrap();
     let ds = start.elapsed().as_millis();
@@ -344,24 +345,25 @@ impl R1CSProof {
     prove_outer.stop();
 
     let start = Instant::now();
+    let verifier_time = Timer::new("groth16_verification");
     let is_verified = Groth16::<P>::verify(&vk, &[], &proof).unwrap();
     assert!(is_verified);
+    verifier_time.stop();
 
     let timer_verification = Timer::new("commitverification");
-    let mut dummy = self.ry[1..].to_vec();
-    // TODO: ensure ark-poly-commit and Spartan produce consistent results
-    // when evaluating a polynomial at a given point so this reverse is not
-    // needed.
-    dummy.reverse();
+    transcript.new_from_state(&self.transcript_sat_state);
 
     // Verifies the proof of opening against the result of evaluating the
     // witness polynomial at point ry.
-    let res = PolyList::verify_q(
+    let res = Polynomial::verify(
+      transcript,
       &gens.gens_pc.vk,
       &self.comm,
-      &dummy,
+      &self.ry[1..],
       self.eval_vars_at_ry,
       &self.proof_eval_vars_at_ry,
+      &self.mipp_proof,
+      &self.t,
     );
 
     timer_verification.stop();
@@ -382,7 +384,10 @@ impl R1CSProof {
     transcript: &mut PoseidonTranscript,
     gens: &R1CSGens,
   ) -> Result<usize, ProofVerifyError> {
-    // self.comm.append_to_poseidon(transcript);
+    // serialise and add the IPP commitment to the transcript
+    let mut bytes = Vec::new();
+    self.t.serialize(&mut bytes).unwrap();
+    transcript.append_bytes(&bytes);
 
     let c = transcript.challenge_scalar();