From b1a4c73694f3af6246c719d9c9b1ab3b50a179a4 Mon Sep 17 00:00:00 2001 From: amit0365 Date: Tue, 11 Jun 2024 21:53:10 -0400 Subject: [PATCH 01/26] gkr_nonnative intial review --- frontend/variable.go | 522 +++++++++ std/fiat-shamir/settings.go | 16 + std/gkr/gkr.go | 1 + std/gkr/gkr_test.go | 12 +- std/math/emulated/element.go | 19 + std/math/emulated/field_mul.go | 10 + std/math/polynomial/polynomial.go | 16 + std/polynomial/polynomial.go | 106 +- std/polynomial/polynomial_test.go | 2 +- std/polynomial/pool.go | 203 ++++ std/recursion/sumcheck/arithengine.go | 13 + std/recursion/sumcheck/challenge.go | 1 + std/recursion/sumcheck/claim_intf.go | 34 + std/recursion/sumcheck/gkr_nonnative.go | 1362 +++++++++++++++++++++++ std/recursion/sumcheck/polynomial.go | 81 ++ std/recursion/sumcheck/proof.go | 11 + std/recursion/sumcheck/prover.go | 94 ++ std/recursion/sumcheck/verifier.go | 87 +- std/sumcheck/sumcheck.go | 4 +- 19 files changed, 2587 insertions(+), 7 deletions(-) create mode 100644 std/polynomial/pool.go create mode 100644 std/recursion/sumcheck/gkr_nonnative.go diff --git a/frontend/variable.go b/frontend/variable.go index 82d33fbc90..b0eda66c0c 100644 --- a/frontend/variable.go +++ b/frontend/variable.go @@ -17,6 +17,13 @@ limitations under the License. package frontend import ( + "encoding/binary" + "errors" + "math/big" + "math/bits" + + "github.com/consensys/gnark-crypto/field/pool" + "github.com/consensys/gnark/frontend/internal/expr" ) @@ -25,6 +32,521 @@ import ( // The only purpose of putting this definition here is to avoid the import cycles (cs/plonk <-> frontend) and (cs/r1cs <-> frontend) type Variable interface{} +type Element [4]uint64 + +var qInvNeg uint64 + +// Field modulus q +var ( + q0 uint64 + q1 uint64 + q2 uint64 + q3 uint64 +) + +var _modulus big.Int // q stored as big.Int + +// SetZero z = 0 +func (z *Element) SetZero() *Element { + z[0] = 0 + z[1] = 0 + z[2] = 0 + z[3] = 0 + return z +} + +// rSquare where r is the Montgommery constant +// see section 2.3.2 of Tolga Acar's thesis +// https://www.microsoft.com/en-us/research/wp-content/uploads/1998/06/97Acar.pdf +var rSquare = Element{ +} + +const ( + Limbs = 4 // number of 64 bits words needed to represent a Element + Bits = 254 // number of bits needed to represent a Element + Bytes = 32 // number of bytes needed to represent a Element +) + +// fromMont converts z in place (i.e. mutates) from Montgomery to regular representation +// sets and returns z = z * 1 +func (z *Element) fromMont() *Element { + fromMont(z) + return z +} + +func fromMont(z *Element) { + _fromMontGeneric(z) +} + +func _fromMontGeneric(z *Element) { + // the following lines implement z = z * 1 + // with a modified CIOS montgomery multiplication + // see Mul for algorithm documentation + { + // m = z[0]n'[0] mod W + m := z[0] * qInvNeg + C := madd0(m, q0, z[0]) + C, z[0] = madd2(m, q1, z[1], C) + C, z[1] = madd2(m, q2, z[2], C) + C, z[2] = madd2(m, q3, z[3], C) + z[3] = C + } + { + // m = z[0]n'[0] mod W + m := z[0] * qInvNeg + C := madd0(m, q0, z[0]) + C, z[0] = madd2(m, q1, z[1], C) + C, z[1] = madd2(m, q2, z[2], C) + C, z[2] = madd2(m, q3, z[3], C) + z[3] = C + } + { + // m = z[0]n'[0] mod W + m := z[0] * qInvNeg + C := madd0(m, q0, z[0]) + C, z[0] = madd2(m, q1, z[1], C) + C, z[1] = madd2(m, q2, z[2], C) + C, z[2] = madd2(m, q3, z[3], C) + z[3] = C + } + { + // m = z[0]n'[0] mod W + m := z[0] * qInvNeg + C := madd0(m, q0, z[0]) + C, z[0] = madd2(m, q1, z[1], C) + C, z[1] = madd2(m, q2, z[2], C) + C, z[2] = madd2(m, q3, z[3], C) + z[3] = C + } + + // if z ⩾ q → z -= q + if !z.smallerThanModulus() { + var b uint64 + z[0], b = bits.Sub64(z[0], q0, 0) + z[1], b = bits.Sub64(z[1], q1, b) + z[2], b = bits.Sub64(z[2], q2, b) + z[3], _ = bits.Sub64(z[3], q3, b) + } +} + +// smallerThanModulus returns true if z < q +// This is not constant time +func (z *Element) smallerThanModulus() bool { + return (z[3] < q3 || (z[3] == q3 && (z[2] < q2 || (z[2] == q2 && (z[1] < q1 || (z[1] == q1 && (z[0] < q0))))))) +} + +// madd0 hi = a*b + c (discards lo bits) +func madd0(a, b, c uint64) (hi uint64) { + var carry, lo uint64 + hi, lo = bits.Mul64(a, b) + _, carry = bits.Add64(lo, c, 0) + hi, _ = bits.Add64(hi, 0, carry) + return +} + +// madd1 hi, lo = a*b + c +func madd1(a, b, c uint64) (hi uint64, lo uint64) { + var carry uint64 + hi, lo = bits.Mul64(a, b) + lo, carry = bits.Add64(lo, c, 0) + hi, _ = bits.Add64(hi, 0, carry) + return +} + +// madd2 hi, lo = a*b + c + d +func madd2(a, b, c, d uint64) (hi uint64, lo uint64) { + var carry uint64 + hi, lo = bits.Mul64(a, b) + c, carry = bits.Add64(c, d, 0) + hi, _ = bits.Add64(hi, 0, carry) + lo, carry = bits.Add64(lo, c, 0) + hi, _ = bits.Add64(hi, 0, carry) + return +} + +func madd3(a, b, c, d, e uint64) (hi uint64, lo uint64) { + var carry uint64 + hi, lo = bits.Mul64(a, b) + c, carry = bits.Add64(c, d, 0) + hi, _ = bits.Add64(hi, 0, carry) + lo, carry = bits.Add64(lo, c, 0) + hi, _ = bits.Add64(hi, e, carry) + return +} +func max(a int, b int) int { + if a > b { + return a + } + return b +} + +func min(a int, b int) int { + if a < b { + return a + } + return b +} + +// BigEndian is the big-endian implementation of ByteOrder and AppendByteOrder. +var BigEndian bigEndian + +type bigEndian struct{} + +// Element interpret b is a big-endian 32-byte slice. +// If b encodes a value higher than q, Element returns error. +func (bigEndian) Element(b *[Bytes]byte) (Element, error) { + var z Element + z[0] = binary.BigEndian.Uint64((*b)[24:32]) + z[1] = binary.BigEndian.Uint64((*b)[16:24]) + z[2] = binary.BigEndian.Uint64((*b)[8:16]) + z[3] = binary.BigEndian.Uint64((*b)[0:8]) + + if !z.smallerThanModulus() { + return Element{}, errors.New("invalid fr.Element encoding") + } + + z.toMont() + return z, nil +} + +// toMont converts z to Montgomery form +// sets and returns z = z * r² +func (z *Element) toMont() *Element { + return z.Mul(z, &rSquare) +} + +// Mul z = x * y (mod q) +// +// x and y must be less than q +func (z *Element) Mul(x, y *Element) *Element { + + // Implements CIOS multiplication -- section 2.3.2 of Tolga Acar's thesis + // https://www.microsoft.com/en-us/research/wp-content/uploads/1998/06/97Acar.pdf + // + // The algorithm: + // + // for i=0 to N-1 + // C := 0 + // for j=0 to N-1 + // (C,t[j]) := t[j] + x[j]*y[i] + C + // (t[N+1],t[N]) := t[N] + C + // + // C := 0 + // m := t[0]*q'[0] mod D + // (C,_) := t[0] + m*q[0] + // for j=1 to N-1 + // (C,t[j-1]) := t[j] + m*q[j] + C + // + // (C,t[N-1]) := t[N] + C + // t[N] := t[N+1] + C + // + // → N is the number of machine words needed to store the modulus q + // → D is the word size. For example, on a 64-bit architecture D is 2 64 + // → x[i], y[i], q[i] is the ith word of the numbers x,y,q + // → q'[0] is the lowest word of the number -q⁻¹ mod r. This quantity is pre-computed, as it does not depend on the inputs. + // → t is a temporary array of size N+2 + // → C, S are machine words. A pair (C,S) refers to (hi-bits, lo-bits) of a two-word number + // + // As described here https://hackmd.io/@gnark/modular_multiplication we can get rid of one carry chain and simplify: + // (also described in https://eprint.iacr.org/2022/1400.pdf annex) + // + // for i=0 to N-1 + // (A,t[0]) := t[0] + x[0]*y[i] + // m := t[0]*q'[0] mod W + // C,_ := t[0] + m*q[0] + // for j=1 to N-1 + // (A,t[j]) := t[j] + x[j]*y[i] + A + // (C,t[j-1]) := t[j] + m*q[j] + C + // + // t[N-1] = C + A + // + // This optimization saves 5N + 2 additions in the algorithm, and can be used whenever the highest bit + // of the modulus is zero (and not all of the remaining bits are set). + + var t0, t1, t2, t3 uint64 + var u0, u1, u2, u3 uint64 + { + var c0, c1, c2 uint64 + v := x[0] + u0, t0 = bits.Mul64(v, y[0]) + u1, t1 = bits.Mul64(v, y[1]) + u2, t2 = bits.Mul64(v, y[2]) + u3, t3 = bits.Mul64(v, y[3]) + t1, c0 = bits.Add64(u0, t1, 0) + t2, c0 = bits.Add64(u1, t2, c0) + t3, c0 = bits.Add64(u2, t3, c0) + c2, _ = bits.Add64(u3, 0, c0) + + m := qInvNeg * t0 + + u0, c1 = bits.Mul64(m, q0) + _, c0 = bits.Add64(t0, c1, 0) + u1, c1 = bits.Mul64(m, q1) + t0, c0 = bits.Add64(t1, c1, c0) + u2, c1 = bits.Mul64(m, q2) + t1, c0 = bits.Add64(t2, c1, c0) + u3, c1 = bits.Mul64(m, q3) + + t2, c0 = bits.Add64(0, c1, c0) + u3, _ = bits.Add64(u3, 0, c0) + t0, c0 = bits.Add64(u0, t0, 0) + t1, c0 = bits.Add64(u1, t1, c0) + t2, c0 = bits.Add64(u2, t2, c0) + c2, _ = bits.Add64(c2, 0, c0) + t2, c0 = bits.Add64(t3, t2, 0) + t3, _ = bits.Add64(u3, c2, c0) + + } + { + var c0, c1, c2 uint64 + v := x[1] + u0, c1 = bits.Mul64(v, y[0]) + t0, c0 = bits.Add64(c1, t0, 0) + u1, c1 = bits.Mul64(v, y[1]) + t1, c0 = bits.Add64(c1, t1, c0) + u2, c1 = bits.Mul64(v, y[2]) + t2, c0 = bits.Add64(c1, t2, c0) + u3, c1 = bits.Mul64(v, y[3]) + t3, c0 = bits.Add64(c1, t3, c0) + + c2, _ = bits.Add64(0, 0, c0) + t1, c0 = bits.Add64(u0, t1, 0) + t2, c0 = bits.Add64(u1, t2, c0) + t3, c0 = bits.Add64(u2, t3, c0) + c2, _ = bits.Add64(u3, c2, c0) + + m := qInvNeg * t0 + + u0, c1 = bits.Mul64(m, q0) + _, c0 = bits.Add64(t0, c1, 0) + u1, c1 = bits.Mul64(m, q1) + t0, c0 = bits.Add64(t1, c1, c0) + u2, c1 = bits.Mul64(m, q2) + t1, c0 = bits.Add64(t2, c1, c0) + u3, c1 = bits.Mul64(m, q3) + + t2, c0 = bits.Add64(0, c1, c0) + u3, _ = bits.Add64(u3, 0, c0) + t0, c0 = bits.Add64(u0, t0, 0) + t1, c0 = bits.Add64(u1, t1, c0) + t2, c0 = bits.Add64(u2, t2, c0) + c2, _ = bits.Add64(c2, 0, c0) + t2, c0 = bits.Add64(t3, t2, 0) + t3, _ = bits.Add64(u3, c2, c0) + + } + { + var c0, c1, c2 uint64 + v := x[2] + u0, c1 = bits.Mul64(v, y[0]) + t0, c0 = bits.Add64(c1, t0, 0) + u1, c1 = bits.Mul64(v, y[1]) + t1, c0 = bits.Add64(c1, t1, c0) + u2, c1 = bits.Mul64(v, y[2]) + t2, c0 = bits.Add64(c1, t2, c0) + u3, c1 = bits.Mul64(v, y[3]) + t3, c0 = bits.Add64(c1, t3, c0) + + c2, _ = bits.Add64(0, 0, c0) + t1, c0 = bits.Add64(u0, t1, 0) + t2, c0 = bits.Add64(u1, t2, c0) + t3, c0 = bits.Add64(u2, t3, c0) + c2, _ = bits.Add64(u3, c2, c0) + + m := qInvNeg * t0 + + u0, c1 = bits.Mul64(m, q0) + _, c0 = bits.Add64(t0, c1, 0) + u1, c1 = bits.Mul64(m, q1) + t0, c0 = bits.Add64(t1, c1, c0) + u2, c1 = bits.Mul64(m, q2) + t1, c0 = bits.Add64(t2, c1, c0) + u3, c1 = bits.Mul64(m, q3) + + t2, c0 = bits.Add64(0, c1, c0) + u3, _ = bits.Add64(u3, 0, c0) + t0, c0 = bits.Add64(u0, t0, 0) + t1, c0 = bits.Add64(u1, t1, c0) + t2, c0 = bits.Add64(u2, t2, c0) + c2, _ = bits.Add64(c2, 0, c0) + t2, c0 = bits.Add64(t3, t2, 0) + t3, _ = bits.Add64(u3, c2, c0) + + } + { + var c0, c1, c2 uint64 + v := x[3] + u0, c1 = bits.Mul64(v, y[0]) + t0, c0 = bits.Add64(c1, t0, 0) + u1, c1 = bits.Mul64(v, y[1]) + t1, c0 = bits.Add64(c1, t1, c0) + u2, c1 = bits.Mul64(v, y[2]) + t2, c0 = bits.Add64(c1, t2, c0) + u3, c1 = bits.Mul64(v, y[3]) + t3, c0 = bits.Add64(c1, t3, c0) + + c2, _ = bits.Add64(0, 0, c0) + t1, c0 = bits.Add64(u0, t1, 0) + t2, c0 = bits.Add64(u1, t2, c0) + t3, c0 = bits.Add64(u2, t3, c0) + c2, _ = bits.Add64(u3, c2, c0) + + m := qInvNeg * t0 + + u0, c1 = bits.Mul64(m, q0) + _, c0 = bits.Add64(t0, c1, 0) + u1, c1 = bits.Mul64(m, q1) + t0, c0 = bits.Add64(t1, c1, c0) + u2, c1 = bits.Mul64(m, q2) + t1, c0 = bits.Add64(t2, c1, c0) + u3, c1 = bits.Mul64(m, q3) + + t2, c0 = bits.Add64(0, c1, c0) + u3, _ = bits.Add64(u3, 0, c0) + t0, c0 = bits.Add64(u0, t0, 0) + t1, c0 = bits.Add64(u1, t1, c0) + t2, c0 = bits.Add64(u2, t2, c0) + c2, _ = bits.Add64(c2, 0, c0) + t2, c0 = bits.Add64(t3, t2, 0) + t3, _ = bits.Add64(u3, c2, c0) + + } + z[0] = t0 + z[1] = t1 + z[2] = t2 + z[3] = t3 + + // if z ⩾ q → z -= q + if !z.smallerThanModulus() { + var b uint64 + z[0], b = bits.Sub64(z[0], q0, 0) + z[1], b = bits.Sub64(z[1], q1, b) + z[2], b = bits.Sub64(z[2], q2, b) + z[3], _ = bits.Sub64(z[3], q3, b) + } + return z +} + + +func (bigEndian) PutElement(b *[Bytes]byte, e Element) { + e.fromMont() + binary.BigEndian.PutUint64((*b)[24:32], e[0]) + binary.BigEndian.PutUint64((*b)[16:24], e[1]) + binary.BigEndian.PutUint64((*b)[8:16], e[2]) + binary.BigEndian.PutUint64((*b)[0:8], e[3]) +} + +// Bytes returns the value of z as a big-endian byte array +func ToBytes(v Variable) (res [Bytes]byte) { + BigEndian.PutElement(&res, v.(Element)) + return res +} + +// FillBytes sets buf to the absolute value of x, storing it as a zero-extended +// big-endian byte slice, and returns buf. +// +// If the absolute value of x doesn't fit in buf, FillBytes will panic. +func FillBytes(x Variable, buf []byte) []byte { + // Clear whole buffer. (This gets optimized into a memclr.) + for i := range buf { + buf[i] = 0 + } + bytes := ToBytes(x) + copy(buf, bytes[:]) + return buf +} + +// Bytes returns the value of z as a big-endian byte array +func FromBytes(e []byte) Variable { + z := new(Element) + if len(e) == Bytes { + // fast path + v, err := BigEndian.Element((*[Bytes]byte)(e)) + if err == nil { + *z = v + return z + } + } + + // slow path. + // get a big int from our pool + vv := pool.BigInt.Get() + vv.SetBytes(e) + + // set big int + z.SetBigInt(vv) + + // put temporary object back in pool + pool.BigInt.Put(vv) + + return z +} + +// SetBigInt sets z to v and returns z +func (z *Element) SetBigInt(v *big.Int) *Element { + z.SetZero() + + var zero big.Int + + // fast path + c := v.Cmp(&_modulus) + if c == 0 { + // v == 0 + return z + } else if c != 1 && v.Cmp(&zero) != -1 { + // 0 < v < q + return z.setBigInt(v) + } + + // get temporary big int from the pool + vv := pool.BigInt.Get() + + // copy input + modular reduction + vv.Mod(v, &_modulus) + + // set big int byte value + z.setBigInt(vv) + + // release object into pool + pool.BigInt.Put(vv) + return z +} + +// setBigInt assumes 0 ⩽ v < q +func (z *Element) setBigInt(v *big.Int) *Element { + vBits := v.Bits() + + if bits.UintSize == 64 { + for i := 0; i < len(vBits); i++ { + z[i] = uint64(vBits[i]) + } + } else { + for i := 0; i < len(vBits); i++ { + if i%2 == 0 { + z[i/2] = uint64(vBits[i]) + } else { + z[i/2] |= uint64(vBits[i]) << 32 + } + } + } + + return z.toMont() +} + +// Set z = x and returns z +func (z *Element) SetElement(x *Element) *Element { + z[0] = x[0] + z[1] = x[1] + z[2] = x[2] + z[3] = x[3] + return z +} + +func Set(z, x Variable) Variable { + (*z.(*Element)).SetElement(x.(*Element)) + return z +} + // IsCanonical returns true if the Variable has been normalized in a (internal) LinearExpression // by one of the constraint system builder. In other words, if the Variable is a circuit input OR // returned by the API. diff --git a/std/fiat-shamir/settings.go b/std/fiat-shamir/settings.go index 146a64355e..287aa1a20c 100644 --- a/std/fiat-shamir/settings.go +++ b/std/fiat-shamir/settings.go @@ -3,6 +3,7 @@ package fiatshamir import ( "github.com/consensys/gnark/frontend" "github.com/consensys/gnark/std/hash" + "github.com/consensys/gnark/std/math/emulated" ) type Settings struct { @@ -12,6 +13,13 @@ type Settings struct { Hash hash.FieldHasher } +type SettingsFr[FR emulated.FieldParams] struct { + Transcript *Transcript + Prefix string + BaseChallenges []emulated.Element[FR] + Hash hash.FieldHasher +} + func WithTranscript(transcript *Transcript, prefix string, baseChallenges ...frontend.Variable) Settings { return Settings{ Transcript: transcript, @@ -20,6 +28,14 @@ func WithTranscript(transcript *Transcript, prefix string, baseChallenges ...fro } } +func WithTranscriptFr[FR emulated.FieldParams](transcript *Transcript, prefix string, baseChallenges ...emulated.Element[FR]) SettingsFr[FR] { + return SettingsFr[FR]{ + Transcript: transcript, + Prefix: prefix, + BaseChallenges: baseChallenges, + } +} + func WithHash(hash hash.FieldHasher, baseChallenges ...frontend.Variable) Settings { return Settings{ BaseChallenges: baseChallenges, diff --git a/std/gkr/gkr.go b/std/gkr/gkr.go index a715a9d98e..c33f3c4529 100644 --- a/std/gkr/gkr.go +++ b/std/gkr/gkr.go @@ -308,6 +308,7 @@ func Verify(api frontend.API, c Circuit, assignment WireAssignment, proof Proof, claims := newClaimsManager(c, assignment) var firstChallenge []frontend.Variable + // why no bind values here? firstChallenge, err = getChallenges(o.transcript, getFirstChallengeNames(o.nbVars, o.transcriptPrefix)) if err != nil { return err diff --git a/std/gkr/gkr_test.go b/std/gkr/gkr_test.go index d24b25a95c..c5b39fb879 100644 --- a/std/gkr/gkr_test.go +++ b/std/gkr/gkr_test.go @@ -8,8 +8,11 @@ import ( "reflect" "testing" + "github.com/consensys/gnark-crypto/ecc" "github.com/consensys/gnark/backend" "github.com/consensys/gnark/frontend" + "github.com/consensys/gnark/frontend/cs/r1cs" + "github.com/consensys/gnark/profile" fiatshamir "github.com/consensys/gnark/std/fiat-shamir" "github.com/consensys/gnark/std/polynomial" "github.com/consensys/gnark/test" @@ -74,6 +77,14 @@ func generateTestVerifier(path string, options ...option) func(t *testing.T) { TestCaseName: path, } + p:= profile.Start() + frontend.Compile(ecc.BN254.ScalarField(), r1cs.NewBuilder, validCircuit) + p.Stop() + + fmt.Println(p.NbConstraints()) + fmt.Println(p.Top()) + //r1cs.CheckUnconstrainedWires() + invalidCircuit := &GkrVerifierCircuit{ Input: make([][]frontend.Variable, len(testCase.Input)), Output: make([][]frontend.Variable, len(testCase.Output)), @@ -327,7 +338,6 @@ func TestLoadCircuit(t *testing.T) { assert.Equal(t, []*Wire{}, c[0].Inputs) assert.Equal(t, []*Wire{&c[0]}, c[1].Inputs) assert.Equal(t, []*Wire{&c[1]}, c[2].Inputs) - } func TestTopSortTrivial(t *testing.T) { diff --git a/std/math/emulated/element.go b/std/math/emulated/element.go index f3da9d3c7c..fdcfb9a958 100644 --- a/std/math/emulated/element.go +++ b/std/math/emulated/element.go @@ -6,6 +6,7 @@ import ( "github.com/consensys/gnark/frontend" "github.com/consensys/gnark/internal/utils" + "github.com/consensys/gnark/std/math/bits" ) // Element defines an element in the ring of integers modulo n. The integer @@ -106,3 +107,21 @@ func (e *Element[T]) copy() *Element[T] { r.internal = e.internal return &r } + +// newInternalElement sets the limbs and overflow. Given as a function for later +// possible refactor. +func newInternalElement[T FieldParams](limbs []frontend.Variable, overflow uint) *Element[T] { + return &Element[T]{Limbs: limbs, overflow: overflow, internal: true} +} + +// FromBits returns a new Element given the bits is little-endian order. +func FromBits[FR FieldParams](api frontend.API, bs ...frontend.Variable) *Element[FR] { + var fParams FR + nbLimbs := (uint(len(bs)) + fParams.BitsPerLimb() - 1) / fParams.BitsPerLimb() + limbs := make([]frontend.Variable, nbLimbs) + for i := uint(0); i < nbLimbs-1; i++ { + limbs[i] = bits.FromBinary(api, bs[i*fParams.BitsPerLimb():(i+1)*fParams.BitsPerLimb()]) + } + limbs[nbLimbs-1] = bits.FromBinary(api, bs[(nbLimbs-1)*fParams.BitsPerLimb():]) + return newInternalElement[FR](limbs, 0) +} \ No newline at end of file diff --git a/std/math/emulated/field_mul.go b/std/math/emulated/field_mul.go index 278b9a5024..66537cc846 100644 --- a/std/math/emulated/field_mul.go +++ b/std/math/emulated/field_mul.go @@ -414,6 +414,16 @@ func (f *Field[T]) Mul(a, b *Element[T]) *Element[T] { return f.reduceAndOp(func(a, b *Element[T], u uint) *Element[T] { return f.mulMod(a, b, u, nil) }, f.mulPreCond, a, b) } +// // MulAcc computes a*b and reduces it modulo the field order. The returned Element +// // has default number of limbs and zero overflow. If the result wouldn't fit +// // into Element, then locally reduces the inputs first. Doesn't mutate inputs. +// // +// // For multiplying by a constant, use [Field[T].MulConst] method which is more +// // efficient. +// func (f *Field[T]) MulAcc(a, b *Element[T], c *Element[T]) *Element[T] { +// return f.reduceAndOp(func(a, b *Element[T], u uint) *Element[T] { return f.mulMod(a, b, u, nil) }, f.mulPreCond, a, b) +// } + // MulMod computes a*b and reduces it modulo the field order. The returned Element // has default number of limbs and zero overflow. // diff --git a/std/math/polynomial/polynomial.go b/std/math/polynomial/polynomial.go index e09ef69ef1..05bb9bb9b5 100644 --- a/std/math/polynomial/polynomial.go +++ b/std/math/polynomial/polynomial.go @@ -22,6 +22,10 @@ type Univariate[FR emulated.FieldParams] []emulated.Element[FR] // coefficients. type Multilinear[FR emulated.FieldParams] []emulated.Element[FR] +func (ml *Multilinear[FR]) NumVars() int { + return bits.Len(uint(len(*ml) - 1)) +} + func valueOf[FR emulated.FieldParams](univ []*big.Int) []emulated.Element[FR] { ret := make([]emulated.Element[FR], len(univ)) for i := range univ { @@ -89,6 +93,18 @@ func New[FR emulated.FieldParams](api frontend.API) (*Polynomial[FR], error) { }, nil } +func (p *Polynomial[FR]) Mul(a, b *emulated.Element[FR]) *emulated.Element[FR] { + return p.f.Mul(a, b) +} + +func (p *Polynomial[FR]) Add(a, b *emulated.Element[FR]) *emulated.Element[FR] { + return p.f.Add(a, b) +} + +func (p *Polynomial[FR]) AssertIsEqual(a, b *emulated.Element[FR]) { + p.f.AssertIsEqual(a, b) +} + // EvalUnivariate evaluates univariate polynomial at a point at. It returns the // evaluation. The method does not mutate the inputs. func (p *Polynomial[FR]) EvalUnivariate(P Univariate[FR], at *emulated.Element[FR]) *emulated.Element[FR] { diff --git a/std/polynomial/polynomial.go b/std/polynomial/polynomial.go index 0953cb3ac7..cccbf93563 100644 --- a/std/polynomial/polynomial.go +++ b/std/polynomial/polynomial.go @@ -4,6 +4,7 @@ import ( "math/bits" "github.com/consensys/gnark/frontend" + "github.com/consensys/gnark-crypto/utils" ) type Polynomial []frontend.Variable @@ -11,6 +12,70 @@ type MultiLin []frontend.Variable var minFoldScaledLogSize = 16 +func FromSlice(s []frontend.Variable) []*frontend.Variable { + r := make([]*frontend.Variable, len(s)) + for i := range s { + r[i] = &s[i] + } + return r +} + +// FromSliceReferences maps slice of emulated element references to their values. +func FromSliceReferences(in []*frontend.Variable) []frontend.Variable { + r := make([]frontend.Variable, len(in)) + for i := range in { + r[i] = *in[i] + } + return r +} + +func _clone(m MultiLin, p *Pool) MultiLin { + if p == nil { + return m.Clone() + } else { + return p.Clone(m) + } +} + +func _dump(m MultiLin, p *Pool) { + if p != nil { + p.Dump(m) + } +} + +// Evaluate assumes len(m) = 1 << len(at) +// it doesn't modify m +func (m MultiLin) EvaluatePool(api frontend.API, at []frontend.Variable, pool *Pool) frontend.Variable { + _m := _clone(m, pool) + + /*minFoldScaledLogSize := 16 + if api is r1cs { + minFoldScaledLogSize = math.MaxInt64 // no scaling for r1cs + }*/ + + scaleCorrectionFactor := frontend.Variable(1) + // at each iteration fold by at[i] + for len(_m) > 1 { + if len(_m) >= minFoldScaledLogSize { + scaleCorrectionFactor = api.Mul(scaleCorrectionFactor, _m.foldScaled(api, at[0])) + } else { + _m.Fold(api, at[0]) + } + _m = _m[:len(_m)/2] + at = at[1:] + } + + if len(at) != 0 { + panic("incompatible evaluation vector size") + } + + result := _m[0] + + _dump(_m, pool) + + return api.Mul(result, scaleCorrectionFactor) +} + // Evaluate assumes len(m) = 1 << len(at) // it doesn't modify m func (m MultiLin) Evaluate(api frontend.API, at []frontend.Variable) frontend.Variable { @@ -27,7 +92,7 @@ func (m MultiLin) Evaluate(api frontend.API, at []frontend.Variable) frontend.Va if len(_m) >= minFoldScaledLogSize { scaleCorrectionFactor = api.Mul(scaleCorrectionFactor, _m.foldScaled(api, at[0])) } else { - _m.fold(api, at[0]) + _m.Fold(api, at[0]) } _m = _m[:len(_m)/2] at = at[1:] @@ -42,7 +107,7 @@ func (m MultiLin) Evaluate(api frontend.API, at []frontend.Variable) frontend.Va // fold fixes the value of m's first variable to at, thus halving m's required bookkeeping table size // WARNING: The user should halve m themselves after the call -func (m MultiLin) fold(api frontend.API, at frontend.Variable) { +func (m MultiLin) Fold(api frontend.API, at frontend.Variable) { zero := m[:len(m)/2] one := m[len(m)/2:] for j := range zero { @@ -51,6 +116,43 @@ func (m MultiLin) fold(api frontend.API, at frontend.Variable) { } } +func (m *MultiLin) FoldParallel(api frontend.API, r frontend.Variable) utils.Task { + mid := len(*m) / 2 + bottom, top := (*m)[:mid], (*m)[mid:] + + *m = bottom + + return func(start, end int) { + var t frontend.Variable // no need to update the top part + for i := start; i < end; i++ { + // table[i] ← table[i] + r (table[i + mid] - table[i]) + t = api.Sub(&top[i], &bottom[i]) + t = api.Mul(&t, &r) + bottom[i] = api.Add(&bottom[i], &t) + } + } +} + +// Eq sets m to the representation of the polynomial Eq(q₁, ..., qₙ, *, ..., *) × m[0] +func (m *MultiLin) Eq(api frontend.API, q []frontend.Variable) { + n := len(q) + + if len(*m) != 1< p.subPools[poolI].maxN { + poolI++ + } + return &p.subPools[poolI] // out of bounds error here would mean that n is too large +} + +func (p *Pool) Make(n int) []frontend.Variable { + pool := p.findCorrespondingPool(n) + ptr := pool.get(n) + p.addInUse(ptr, pool) + return unsafe.Slice(ptr, n) +} + +// Dump dumps a set of polynomials into the pool +func (p *Pool) Dump(slices ...[]frontend.Variable) { + for _, slice := range slices { + ptr := getDataPointer(slice) + if metadata, ok := p.inUse.Load(ptr); ok { + p.inUse.Delete(ptr) + metadata.(inUseData).pool.put(ptr) + } else { + panic("attempting to dump a slice not created by the pool") + } + } +} + +func (p *Pool) addInUse(ptr *frontend.Variable, pool *sizedPool) { + pcs := make([]uintptr, 2) + n := runtime.Callers(3, pcs) + + if prevPcs, ok := p.inUse.Load(ptr); ok { // TODO: remove if unnecessary for security + panic(fmt.Errorf("re-allocated non-dumped slice, previously allocated at %v", runtime.CallersFrames(prevPcs.(inUseData).allocatedFor))) + } + p.inUse.Store(ptr, inUseData{ + allocatedFor: pcs[:n], + pool: pool, + }) +} + +func printFrame(frame runtime.Frame) { + fmt.Printf("\t%s line %d, function %s\n", frame.File, frame.Line, frame.Function) +} + +func (p *Pool) printInUse() { + fmt.Println("slices never dumped allocated at:") + p.inUse.Range(func(_, pcs any) bool { + fmt.Println("-------------------------") + + var frame runtime.Frame + frames := runtime.CallersFrames(pcs.(inUseData).allocatedFor) + more := true + for more { + frame, more = frames.Next() + printFrame(frame) + } + return true + }) +} + +type poolStats struct { + Used int + Allocated int + ReuseRate float64 + InUse int + GreatestNUsed int + SmallestNUsed int +} + +type poolsStats struct { + SubPools []poolStats + InUse int +} + +func (s *poolStats) make(n int) { + s.Used++ + s.InUse++ + if n > s.GreatestNUsed { + s.GreatestNUsed = n + } + if s.SmallestNUsed == 0 || s.SmallestNUsed > n { + s.SmallestNUsed = n + } +} + +func (s *poolStats) dump() { + s.InUse-- +} + +func (s *poolStats) finalize() { + s.ReuseRate = float64(s.Used) / float64(s.Allocated) +} + +func getDataPointer(slice []frontend.Variable) *frontend.Variable { + header := (*reflect.SliceHeader)(unsafe.Pointer(&slice)) + return (*frontend.Variable)(unsafe.Pointer(header.Data)) +} + +func (p *Pool) PrintPoolStats() { + InUse := 0 + subStats := make([]poolStats, len(p.subPools)) + for i := range p.subPools { + subPool := &p.subPools[i] + subPool.stats.finalize() + subStats[i] = subPool.stats + InUse += subPool.stats.InUse + } + + stats := poolsStats{ + SubPools: subStats, + InUse: InUse, + } + serialized, _ := json.MarshalIndent(stats, "", " ") + fmt.Println(string(serialized)) + p.printInUse() +} + +func (p *Pool) Clone(slice []frontend.Variable) []frontend.Variable { + res := p.Make(len(slice)) + copy(res, slice) + return res +} diff --git a/std/recursion/sumcheck/arithengine.go b/std/recursion/sumcheck/arithengine.go index e4de69ba0a..e0501b79d3 100644 --- a/std/recursion/sumcheck/arithengine.go +++ b/std/recursion/sumcheck/arithengine.go @@ -76,10 +76,19 @@ func (ee *emuEngine[FR]) Mul(a, b *emulated.Element[FR]) *emulated.Element[FR] { return ee.f.Mul(a, b) } +//todo fix this +func (ee *emuEngine[FR]) MulAcc(a, b, c *emulated.Element[FR]) *emulated.Element[FR] { + return ee.f.Mul(a, b) +} + func (ee *emuEngine[FR]) Sub(a, b *emulated.Element[FR]) *emulated.Element[FR] { return ee.f.Sub(a, b) } +func (ee *emuEngine[FR]) Div(a, b *emulated.Element[FR]) *emulated.Element[FR] { + return ee.f.Div(a, b) +} + func (ee *emuEngine[FR]) One() *emulated.Element[FR] { return ee.f.One() } @@ -88,6 +97,10 @@ func (ee *emuEngine[FR]) Const(i *big.Int) *emulated.Element[FR] { return ee.f.NewElement(i) } +func (ee *emuEngine[FR]) AssertIsEqual(a, b *emulated.Element[FR]) { + ee.f.AssertIsEqual(a, b) +} + func newEmulatedEngine[FR emulated.FieldParams](api frontend.API) (*emuEngine[FR], error) { f, err := emulated.NewField[FR](api) if err != nil { diff --git a/std/recursion/sumcheck/challenge.go b/std/recursion/sumcheck/challenge.go index fb9e87ee4c..ba105ece37 100644 --- a/std/recursion/sumcheck/challenge.go +++ b/std/recursion/sumcheck/challenge.go @@ -51,6 +51,7 @@ func deriveChallengeProver(fs *cryptofiatshamir.Transcript, challengeNames []str return challenge, challengeNames[1:], nil } +// todo change this bind as limbs instead of bits, ask @arya if necessary // bindChallenge binds the values for challengeName using in-circuit Fiat-Shamir transcript. func (v *Verifier[FR]) bindChallenge(fs *fiatshamir.Transcript, challengeName string, values []emulated.Element[FR]) error { for i := range values { diff --git a/std/recursion/sumcheck/claim_intf.go b/std/recursion/sumcheck/claim_intf.go index d2df83aea6..03a76e68fd 100644 --- a/std/recursion/sumcheck/claim_intf.go +++ b/std/recursion/sumcheck/claim_intf.go @@ -3,7 +3,9 @@ package sumcheck import ( "math/big" + "github.com/consensys/gnark/frontend" "github.com/consensys/gnark/std/math/emulated" + "github.com/consensys/gnark/std/polynomial" ) // LazyClaims allows to verify the sumcheck proof by allowing different final evaluations. @@ -37,3 +39,35 @@ type claims interface { // ProverFinalEval returns the (lazy) evaluation proof. ProverFinalEval(r []*big.Int) nativeEvaluationProof } + +// claims is the interface for the claimable function for proving. +type claimsVar interface { + // NbClaims is the number of parallel sumcheck proofs. If larger than one then sumcheck verifier computes a challenge for combining the claims. + NbClaims() int + // NbVars is the number of variables for the evaluatable function. Defines the number of rounds in the sumcheck protocol. + NbVars() int + // Combine combines separate claims into a single sumcheckable claim using + // the coefficient coeff. + Combine(api frontend.API, coeff *frontend.Variable) polynomial.Polynomial + // Next fixes the next free variable to r, keeps the next variable free and + // sums over a hypercube for the last variables. Instead of returning the + // polynomial in coefficient form, it returns the evaluations at degree + // different points. + Next(api frontend.API, r *frontend.Variable) polynomial.Polynomial + // ProverFinalEval returns the (lazy) evaluation proof. + ProverFinalEval(api frontend.API, r []frontend.Variable) nativeEvaluationProof +} + +// LazyClaims allows to verify the sumcheck proof by allowing different final evaluations. +type LazyClaimsVar[FR emulated.FieldParams] interface { + // NbClaims is the number of parallel sumcheck proofs. If larger than one then sumcheck verifier computes a challenge for combining the claims. + NbClaims() int + // NbVars is the number of variables for the evaluatable function. Defines the number of rounds in the sumcheck protocol. + NbVars() int + // CombinedSum returns the folded claim for parallel verification. + CombinedSum(coeff *emulated.Element[FR]) *emulated.Element[FR] + // Degree returns the maximum degree of the variable i-th variable. + Degree(i int) int + // AssertEvaluation (lazily) asserts the correctness of the evaluation value expectedValue of the claim at r. + VerifyFinalEval(r []emulated.Element[FR], combinationCoeff, purportedValue emulated.Element[FR], proof interface{}) error +} \ No newline at end of file diff --git a/std/recursion/sumcheck/gkr_nonnative.go b/std/recursion/sumcheck/gkr_nonnative.go new file mode 100644 index 0000000000..0dc3db42a1 --- /dev/null +++ b/std/recursion/sumcheck/gkr_nonnative.go @@ -0,0 +1,1362 @@ +package sumcheck + +import ( + "fmt" + "slices" + "strconv" + "math/big" + "sync" + + "github.com/consensys/gnark/frontend" + "github.com/consensys/gnark-crypto/utils" + fiatshamir "github.com/consensys/gnark/std/fiat-shamir" + "github.com/consensys/gnark/std/math/bits" + "github.com/consensys/gnark/std/math/emulated" + "github.com/consensys/gnark/std/math/polynomial" + "github.com/consensys/gnark/std/recursion" + polynative "github.com/consensys/gnark/std/polynomial" +) + +// @tabaie TODO: Contains many things copy-pasted from gnark-crypto. Generify somehow? + +// The goal is to prove/verify evaluations of many instances of the same circuit + +// Gate must be a low-degree polynomial +type Gate interface { + Evaluate(...frontend.Variable) frontend.Variable // removed api ? + Degree() int +} + +type Wire struct { + Gate Gate + Inputs []*Wire // if there are no Inputs, the wire is assumed an input wire + nbUniqueOutputs int // number of other wires using it as input, not counting duplicates (i.e. providing two inputs to the same gate counts as one) +} + +// Gate must be a low-degree polynomial +type GateFr[FR emulated.FieldParams] interface { + Evaluate(...emulated.Element[FR]) emulated.Element[FR] // removed api ? + Degree() int +} + +type WireFr[FR emulated.FieldParams] struct { + Gate GateFr[FR] + Inputs []*WireFr[FR] // if there are no Inputs, the wire is assumed an input wire + nbUniqueOutputs int // number of other wires using it as input, not counting duplicates (i.e. providing two inputs to the same gate counts as one) +} + +type Circuit []Wire + +func (w Wire) IsInput() bool { + return len(w.Inputs) == 0 +} + +func (w Wire) IsOutput() bool { + return w.nbUniqueOutputs == 0 +} + +func (w Wire) NbClaims() int { + if w.IsOutput() { + return 1 + } + return w.nbUniqueOutputs +} + +func (w Wire) nbUniqueInputs() int { + set := make(map[*Wire]struct{}, len(w.Inputs)) + for _, in := range w.Inputs { + set[in] = struct{}{} + } + return len(set) +} + +func (w Wire) noProof() bool { + return w.IsInput() && w.NbClaims() == 1 +} + +func (c Circuit) maxGateDegree() int { + res := 1 + for i := range c { + if !c[i].IsInput() { + res = utils.Max(res, c[i].Gate.Degree()) + } + } + return res +} + +type CircuitFr[FR emulated.FieldParams] []WireFr[FR] + +func (w WireFr[FR]) IsInput() bool { + return len(w.Inputs) == 0 +} + +func (w WireFr[FR]) IsOutput() bool { + return w.nbUniqueOutputs == 0 +} + +func (w WireFr[FR]) NbClaims() int { + if w.IsOutput() { + return 1 + } + return w.nbUniqueOutputs +} + +func (w WireFr[FR]) nbUniqueInputs() int { + set := make(map[*WireFr[FR]]struct{}, len(w.Inputs)) + for _, in := range w.Inputs { + set[in] = struct{}{} + } + return len(set) +} + +func (w WireFr[FR]) noProof() bool { + return w.IsInput() && w.NbClaims() == 1 +} + +// WireAssignment is assignment of values to the same wire across many instances of the circuit +type WireAssignment map[*Wire]polynative.MultiLin + +// WireAssignment is assignment of values to the same wire across many instances of the circuit +type WireAssignmentFr[FR emulated.FieldParams] map[*WireFr[FR]]polynomial.Multilinear[FR] + +type Proofs[FR emulated.FieldParams] []nonNativeProofGKR[FR] // for each layer, for each wire, a sumcheck (for each variable, a polynomial) + +type eqTimesGateEvalSumcheckLazyClaimsFr[FR emulated.FieldParams] struct { + wire *WireFr[FR] + evaluationPoints [][]emulated.Element[FR] + claimedEvaluations []emulated.Element[FR] + manager *claimsManagerFr[FR] // WARNING: Circular references + verifier *GKRVerifier[FR] +} + +func (e *eqTimesGateEvalSumcheckLazyClaimsFr[FR]) VerifyFinalEval(r []emulated.Element[FR], combinationCoeff, purportedValue emulated.Element[FR], proof interface{}) error { + inputEvaluationsNoRedundancy := proof.([]emulated.Element[FR]) + + p, err := polynomial.New[FR](e.verifier.api) + if err != nil { + return err + } + + // the eq terms + numClaims := len(e.evaluationPoints) + evaluation := p.EvalEqual(polynomial.FromSlice(e.evaluationPoints[numClaims-1]), polynomial.FromSlice(r)) + for i := numClaims - 2; i >= 0; i-- { + evaluation = p.Mul(evaluation, &combinationCoeff) + eq := p.EvalEqual(polynomial.FromSlice(e.evaluationPoints[i]), polynomial.FromSlice(r)) + evaluation = p.Add(evaluation, eq) + } + + // the g(...) term + var gateEvaluation emulated.Element[FR] + if e.wire.IsInput() { + gateEvaluationPtr, err := p.EvalMultilinear(polynomial.FromSlice(r), e.manager.assignment[e.wire]) + if err != nil { + return err + } + gateEvaluation = *gateEvaluationPtr + } else { + inputEvaluations := make([]emulated.Element[FR], len(e.wire.Inputs)) + indexesInProof := make(map[*WireFr[FR]]int, len(inputEvaluationsNoRedundancy)) + + proofI := 0 + for inI, in := range e.wire.Inputs { + indexInProof, found := indexesInProof[in] + if !found { + indexInProof = proofI + indexesInProof[in] = indexInProof + + // defer verification, store new claim + e.manager.add(in, r, inputEvaluationsNoRedundancy[indexInProof]) + proofI++ + } + inputEvaluations[inI] = inputEvaluationsNoRedundancy[indexInProof] + } + if proofI != len(inputEvaluationsNoRedundancy) { + return fmt.Errorf("%d input wire evaluations given, %d expected", len(inputEvaluationsNoRedundancy), proofI) + } + gateEvaluation = e.wire.Gate.Evaluate(inputEvaluations...) + } + evaluation = p.Mul(evaluation, &gateEvaluation) + + p.AssertIsEqual(evaluation, &purportedValue) + return nil +} + +func (e *eqTimesGateEvalSumcheckLazyClaimsFr[FR]) NbClaims() int { + return len(e.evaluationPoints) +} + +func (e *eqTimesGateEvalSumcheckLazyClaimsFr[FR]) NbVars() int { + return len(e.evaluationPoints[0]) +} + +func (e *eqTimesGateEvalSumcheckLazyClaimsFr[FR]) CombinedSum(a *emulated.Element[FR]) *emulated.Element[FR] { + evalsAsPoly := polynomial.Univariate[FR](e.claimedEvaluations) + return e.verifier.p.EvalUnivariate(evalsAsPoly, a) +} + +func (e *eqTimesGateEvalSumcheckLazyClaimsFr[FR]) Degree(int) int { + return 1 + e.wire.Gate.Degree() +} + +func (e *eqTimesGateEvalSumcheckLazyClaimsFr[FR]) AssertEvaluation(r []*emulated.Element[FR], combinationCoeff, expectedValue *emulated.Element[FR], proof EvaluationProof) error { + val, err := e.verifier.p.EvalMultilinear(r, e.manager.assignment[e.wire]) + if err != nil { + return fmt.Errorf("evaluation error: %w", err) + } + e.verifier.p.AssertIsEqual(val, expectedValue) + return nil +} + + +type claimsManagerFr[FR emulated.FieldParams] struct { + claimsMap map[*WireFr[FR]]*eqTimesGateEvalSumcheckLazyClaimsFr[FR] + assignment WireAssignmentFr[FR] +} + +func newClaimsManagerFr[FR emulated.FieldParams](c CircuitFr[FR], assignment WireAssignmentFr[FR]) (claims claimsManagerFr[FR]) { + claims.assignment = assignment + claims.claimsMap = make(map[*WireFr[FR]]*eqTimesGateEvalSumcheckLazyClaimsFr[FR], len(c)) + + for i := range c { + wire := &c[i] + + claims.claimsMap[wire] = &eqTimesGateEvalSumcheckLazyClaimsFr[FR]{ + wire: wire, + evaluationPoints: make([][]emulated.Element[FR], 0, wire.NbClaims()), + claimedEvaluations: make(polynomial.Multilinear[FR], wire.NbClaims()), + manager: &claims, + } + } + return +} + +func (m *claimsManagerFr[FR]) add(wire *WireFr[FR], evaluationPoint []emulated.Element[FR], evaluation emulated.Element[FR]) { + claim := m.claimsMap[wire] + i := len(claim.evaluationPoints) + claim.claimedEvaluations[i] = evaluation + claim.evaluationPoints = append(claim.evaluationPoints, evaluationPoint) +} + +func (m *claimsManagerFr[FR]) getLazyClaim(wire *WireFr[FR]) *eqTimesGateEvalSumcheckLazyClaimsFr[FR] { + return m.claimsMap[wire] +} + +func (m *claimsManagerFr[FR]) deleteClaim(wire *WireFr[FR]) { + delete(m.claimsMap, wire) +} + +type claimsManager struct { + claimsMap map[*Wire]*eqTimesGateEvalSumcheckLazyClaims + assignment WireAssignment + memPool *polynative.Pool + workers *utils.WorkerPool +} + +func newClaimsManager(c Circuit, assignment WireAssignment, o settings) (claims claimsManager) { + claims.assignment = assignment + claims.claimsMap = make(map[*Wire]*eqTimesGateEvalSumcheckLazyClaims, len(c)) + claims.memPool = o.pool + claims.workers = o.workers + + for i := range c { + wire := &c[i] + + claims.claimsMap[wire] = &eqTimesGateEvalSumcheckLazyClaims{ + wire: wire, + evaluationPoints: make([][]frontend.Variable, 0, wire.NbClaims()), + claimedEvaluations: make([]frontend.Variable, wire.NbClaims()), + manager: &claims, + } + } + return +} + +func (m *claimsManager) add(wire *Wire, evaluationPoint []frontend.Variable, evaluation frontend.Variable) { + claim := m.claimsMap[wire] + i := len(claim.evaluationPoints) + claim.claimedEvaluations[i] = evaluation + claim.evaluationPoints = append(claim.evaluationPoints, evaluationPoint) +} + +func (m *claimsManager) getLazyClaim(wire *Wire) *eqTimesGateEvalSumcheckLazyClaims { + return m.claimsMap[wire] +} + +func (m *claimsManager) getClaim(wire *Wire) *eqTimesGateEvalSumcheckClaims { + lazy := m.claimsMap[wire] + res := &eqTimesGateEvalSumcheckClaims{ + wire: wire, + evaluationPoints: lazy.evaluationPoints, + claimedEvaluations: lazy.claimedEvaluations, + manager: m, + } + + if wire.IsInput() { + res.inputPreprocessors = []polynative.MultiLin{m.memPool.Clone(m.assignment[wire])} + } else { + res.inputPreprocessors = make([]polynative.MultiLin, len(wire.Inputs)) + + for inputI, inputW := range wire.Inputs { + res.inputPreprocessors[inputI] = m.memPool.Clone(m.assignment[inputW]) //will be edited later, so must be deep copied + } + } + return res +} + +func (m *claimsManager) deleteClaim(wire *Wire) { + delete(m.claimsMap, wire) +} + +type eqTimesGateEvalSumcheckLazyClaims struct { + wire *Wire + evaluationPoints [][]frontend.Variable // x in the paper + claimedEvaluations []frontend.Variable // y in the paper + manager *claimsManager +} + +type eqTimesGateEvalSumcheckClaims struct { + wire *Wire + evaluationPoints [][]frontend.Variable // x in the paper + claimedEvaluations []frontend.Variable // y in the paper + manager *claimsManager + + inputPreprocessors []polynative.MultiLin // P_u in the paper, so that we don't need to pass along all the circuit's evaluations + + eq polynative.MultiLin // ∑_i τ_i eq(x_i, -) +} + +func (e *eqTimesGateEvalSumcheckClaims) NbClaims() int { + return len(e.evaluationPoints) +} + +func (e *eqTimesGateEvalSumcheckClaims) NbVars() int { + return len(e.evaluationPoints[0]) +} + +func (c *eqTimesGateEvalSumcheckClaims) Combine(api frontend.API, combinationCoeff *frontend.Variable) polynative.Polynomial { + varsNum := c.NbVars() + eqLength := 1 << varsNum + claimsNum := c.NbClaims() + // initialize the eq tables + c.eq = c.manager.memPool.Make(eqLength) + + c.eq[0] = frontend.Variable(1) + c.eq.Eq(api, c.evaluationPoints[0]) + + newEq := polynative.MultiLin(c.manager.memPool.Make(eqLength)) + aI := combinationCoeff + + for k := 1; k < claimsNum; k++ { // TODO: parallelizable? + // define eq_k = aᵏ eq(x_k1, ..., x_kn, *, ..., *) where x_ki are the evaluation points + frontend.Set(&newEq[0], &aI) + + c.eqAcc(api, c.eq, newEq, c.evaluationPoints[k]) + + // newEq.Eq(c.evaluationPoints[k]) + // eqAsPoly := polynomial.Polynomial(c.eq) //just semantics + // eqAsPoly.Add(eqAsPoly, polynomial.Polynomial(newEq)) + + if k+1 < claimsNum { + api.Mul(&aI, &combinationCoeff) + } + } + + c.manager.memPool.Dump(newEq) + + // from this point on the claim is a rather simple one: g = E(h) × R_v (P_u0(h), ...) where E and the P_u are multilinear and R_v is of low-degree + + return c.computeGJ(api) +} + +// eqAcc sets m to an eq table at q and then adds it to e +func (c *eqTimesGateEvalSumcheckClaims) eqAcc(api frontend.API, e, m polynative.MultiLin, q []frontend.Variable) { + n := len(q) + + //At the end of each iteration, m(h₁, ..., hₙ) = Eq(q₁, ..., qᵢ₊₁, h₁, ..., hᵢ₊₁) + for i := range q { // In the comments we use a 1-based index so q[i] = qᵢ₊₁ + // go through all assignments of (b₁, ..., bᵢ) ∈ {0,1}ⁱ + const threshold = 1 << 6 + k := 1 << i + if k < threshold { + for j := 0; j < k; j++ { + j0 := j << (n - i) // bᵢ₊₁ = 0 + j1 := j0 + 1<<(n-1-i) // bᵢ₊₁ = 1 + + m[j1] = api.Mul(&q[i], &m[j0]) // Eq(q₁, ..., qᵢ₊₁, b₁, ..., bᵢ, 1) = Eq(q₁, ..., qᵢ, b₁, ..., bᵢ) Eq(qᵢ₊₁, 1) = Eq(q₁, ..., qᵢ, b₁, ..., bᵢ) qᵢ₊₁ + m[j0] = api.Sub(&m[j0], &m[j1]) // Eq(q₁, ..., qᵢ₊₁, b₁, ..., bᵢ, 0) = Eq(q₁, ..., qᵢ, b₁, ..., bᵢ) Eq(qᵢ₊₁, 0) = Eq(q₁, ..., qᵢ, b₁, ..., bᵢ) (1-qᵢ₊₁) + } + } else { + c.manager.workers.Submit(k, func(start, end int) { + for j := start; j < end; j++ { + j0 := j << (n - i) // bᵢ₊₁ = 0 + j1 := j0 + 1<<(n-1-i) // bᵢ₊₁ = 1 + + m[j1] = api.Mul(&q[i], &m[j0]) // Eq(q₁, ..., qᵢ₊₁, b₁, ..., bᵢ, 1) = Eq(q₁, ..., qᵢ, b₁, ..., bᵢ) Eq(qᵢ₊₁, 1) = Eq(q₁, ..., qᵢ, b₁, ..., bᵢ) qᵢ₊₁ + m[j0] = api.Sub(&m[j0], &m[j1]) // Eq(q₁, ..., qᵢ₊₁, b₁, ..., bᵢ, 0) = Eq(q₁, ..., qᵢ, b₁, ..., bᵢ) Eq(qᵢ₊₁, 0) = Eq(q₁, ..., qᵢ, b₁, ..., bᵢ) (1-qᵢ₊₁) + } + }, 1024).Wait() + } + + } + c.manager.workers.Submit(len(e), func(start, end int) { + for i := start; i < end; i++ { + e[i] = api.Add(&e[i], &m[i]) + } + }, 512).Wait() + + // e.Add(e, polynomial.Polynomial(m)) +} + +// computeGJ: gⱼ = ∑_{0≤i<2ⁿ⁻ʲ} g(r₁, r₂, ..., rⱼ₋₁, Xⱼ, i...) = ∑_{0≤i<2ⁿ⁻ʲ} E(r₁, ..., X_j, i...) R_v( P_u0(r₁, ..., X_j, i...), ... ) where E = ∑ eq_k +// the polynomial is represented by the evaluations g_j(1), g_j(2), ..., g_j(deg(g_j)). +// The value g_j(0) is inferred from the equation g_j(0) + g_j(1) = gⱼ₋₁(rⱼ₋₁). By convention, g₀ is a constant polynomial equal to the claimed sum. +func (c *eqTimesGateEvalSumcheckClaims) computeGJ(api frontend.API) polynative.Polynomial { + + degGJ := 1 + c.wire.Gate.Degree() // guaranteed to be no smaller than the actual deg(g_j) + nbGateIn := len(c.inputPreprocessors) + + // Let f ∈ { E(r₁, ..., X_j, d...) } ∪ {P_ul(r₁, ..., X_j, d...) }. It is linear in X_j, so f(m) = m×(f(1) - f(0)) + f(0), and f(0), f(1) are easily computed from the bookkeeping tables + s := make([]polynative.MultiLin, nbGateIn+1) + s[0] = c.eq + copy(s[1:], c.inputPreprocessors) + + // Perf-TODO: Collate once at claim "combination" time and not again. then, even folding can be done in one operation every time "next" is called + nbInner := len(s) // wrt output, which has high nbOuter and low nbInner + nbOuter := len(s[0]) / 2 + + gJ := make([]frontend.Variable, degGJ) + var mu sync.Mutex + computeAll := func(start, end int) { + var step frontend.Variable + + res := make([]frontend.Variable, degGJ) + operands := make([]frontend.Variable, degGJ*nbInner) + + for i := start; i < end; i++ { + + block := nbOuter + i + for j := 0; j < nbInner; j++ { + frontend.Set(step, s[j][i]) + frontend.Set(operands[j], s[j][block]) + step = api.Sub(&operands[j], &step) + for d := 1; d < degGJ; d++ { + operands[d*nbInner+j] = api.Add(&operands[(d-1)*nbInner+j], &step) + } + } + + _s := 0 + _e := nbInner + for d := 0; d < degGJ; d++ { + summand := c.wire.Gate.Evaluate(operands[_s+1 : _e]...) + summand = api.Mul(&summand, &operands[_s]) + res[d] = api.Add(&res[d], &summand) + _s, _e = _e, _e+nbInner + } + } + mu.Lock() + for i := 0; i < len(gJ); i++ { + gJ[i] = api.Add(&gJ[i], &res[i]) + } + mu.Unlock() + } + + const minBlockSize = 64 + + if nbOuter < minBlockSize { + // no parallelization + computeAll(0, nbOuter) + } else { + c.manager.workers.Submit(nbOuter, computeAll, minBlockSize).Wait() + } + + // Perf-TODO: Separate functions Gate.TotalDegree and Gate.Degree(i) so that we get to use possibly smaller values for degGJ. Won't help with MiMC though + + return gJ +} + +// Next first folds the "preprocessing" and "eq" polynomials then compute the new g_j +func (c *eqTimesGateEvalSumcheckClaims) Next(api frontend.API, element *frontend.Variable) polynative.Polynomial { + const minBlockSize = 512 + n := len(c.eq) / 2 + if n < minBlockSize { + // no parallelization + for i := 0; i < len(c.inputPreprocessors); i++ { + c.inputPreprocessors[i].Fold(api, element) + } + c.eq.Fold(api, element) + } else { + wgs := make([]*sync.WaitGroup, len(c.inputPreprocessors)) + for i := 0; i < len(c.inputPreprocessors); i++ { + wgs[i] = c.manager.workers.Submit(n, c.inputPreprocessors[i].FoldParallel(api, element), minBlockSize) + } + c.manager.workers.Submit(n, c.eq.FoldParallel(api, element), minBlockSize).Wait() + for _, wg := range wgs { + wg.Wait() + } + } + + return c.computeGJ(api) +} + +func (c *eqTimesGateEvalSumcheckClaims) ProverFinalEval(api frontend.API, r []frontend.Variable) nativeEvaluationProof { + + //defer the proof, return list of claims + evaluations := make([]frontend.Variable, 0, len(c.wire.Inputs)) + noMoreClaimsAllowed := make(map[*Wire]struct{}, len(c.inputPreprocessors)) + noMoreClaimsAllowed[c.wire] = struct{}{} + + for inI, in := range c.wire.Inputs { + puI := c.inputPreprocessors[inI] + if _, found := noMoreClaimsAllowed[in]; !found { + noMoreClaimsAllowed[in] = struct{}{} + puI.Fold(api, r[len(r)-1]) + c.manager.add(in, r, puI[0]) + evaluations = append(evaluations, puI[0]) + } + c.manager.memPool.Dump(puI) + } + + c.manager.memPool.Dump(c.claimedEvaluations, c.eq) + + return evaluations +} + +func (e *eqTimesGateEvalSumcheckClaims) Degree(int) int { + return 1 + e.wire.Gate.Degree() +} + +func setup(api frontend.API, c Circuit, assignment WireAssignment, transcriptSettings fiatshamir.Settings, options ...OptionGkr) (settings, error) { + var o settings + var err error + for _, option := range options { + option(&o) + } + + + + o.nbVars = assignment.NumVars() + nbInstances := assignment.NumInstances() + if 1< res[1] { // make sure it's sorted + res[0], res[1] = res[1], res[0] + if res[1] > res[2] { + res[1], res[2] = res[2], res[1] + } + } + + return res +} + +type ProofGkr []nativeProofGKR + +type OptionGkr func(*settings) + +type settingsFr[FR emulated.FieldParams] struct { + sorted []*WireFr[FR] + transcript *fiatshamir.Transcript + transcriptPrefix string + nbVars int +} + +type OptionFr[FR emulated.FieldParams] func(*settingsFr[FR]) + +func WithSortedCircuit[FR emulated.FieldParams](sorted []*WireFr[FR]) OptionFr[FR] { + return func(options *settingsFr[FR]) { + options.sorted = sorted + } +} + +// Verifier allows to check sumcheck proofs. See [NewVerifier] for initializing the instance. +type GKRVerifier[FR emulated.FieldParams] struct { + api frontend.API + f *emulated.Field[FR] + p *polynomial.Polynomial[FR] + *config +} + +// NewVerifier initializes a new sumcheck verifier for the parametric emulated +// field FR. It returns an error if the given options are invalid or when +// initializing emulated arithmetic fails. +func NewGKRVerifier[FR emulated.FieldParams](api frontend.API, opts ...Option) (*GKRVerifier[FR], error) { + cfg, err := newConfig(opts...) + if err != nil { + return nil, fmt.Errorf("new configuration: %w", err) + } + f, err := emulated.NewField[FR](api) + if err != nil { + return nil, fmt.Errorf("new field: %w", err) + } + p, err := polynomial.New[FR](api) + if err != nil { + return nil, fmt.Errorf("new polynomial: %w", err) + } + return &GKRVerifier[FR]{ + api: api, + f: f, + p: p, + config: cfg, + }, nil +} + +// bindChallenge binds the values for challengeName using in-circuit Fiat-Shamir transcript. +func (v *GKRVerifier[FR]) bindChallenge(fs *fiatshamir.Transcript, challengeName string, values []emulated.Element[FR]) error { + for i := range values { + bts := v.f.ToBits(&values[i]) + slices.Reverse(bts) + if err := fs.Bind(challengeName, bts); err != nil { + return fmt.Errorf("bind challenge %s %d: %w", challengeName, i, err) + } + } + return nil +} + +// deriveChallenge binds the values for challengeName and then returns the +// challenge using in-circuit Fiat-Shamir transcript. It also returns the rest +// of the challenge names for used in the protocol. +func (v *GKRVerifier[FR]) deriveChallenge(fs *fiatshamir.Transcript, challengeNames []string, values []emulated.Element[FR]) (challenge *emulated.Element[FR], restChallengeNames []string, err error) { + var fr FR + if err = v.bindChallenge(fs, challengeNames[0], values); err != nil { + return nil, nil, fmt.Errorf("bind: %w", err) + } + nativeChallenge, err := fs.ComputeChallenge(challengeNames[0]) + if err != nil { + return nil, nil, fmt.Errorf("compute challenge %s: %w", challengeNames[0], err) + } + // TODO: when implementing better way (construct from limbs instead of bits) then change + chBts := bits.ToBinary(v.api, nativeChallenge, bits.WithNbDigits(fr.Modulus().BitLen())) + challenge = v.f.FromBits(chBts...) + return challenge, challengeNames[1:], nil +} + +func (v *GKRVerifier[FR]) setup(api frontend.API, c CircuitFr[FR], assignment WireAssignmentFr[FR], transcriptSettings fiatshamir.Settings, options []OptionFr[FR], sumcheck_opts ...VerifyOption[FR]) (settingsFr[FR], error) { + var fr FR + var o settingsFr[FR] + var err error + for _, option := range options { + option(&o) + } + + cfg, err := newVerificationConfig(sumcheck_opts...) + if err != nil { + return o, fmt.Errorf("verification opts: %w", err) + } + + o.nbVars = assignment.NumVars() + nbInstances := assignment.NumInstances() + if 1< b { + return a + } + return b +} + +func ChallengeNames(sorted []*Wire, logNbInstances int, prefix string) []string { + + // Pre-compute the size TODO: Consider not doing this and just grow the list by appending + size := logNbInstances // first challenge + + for _, w := range sorted { + if w.noProof() { // no proof, no challenge + continue + } + if w.NbClaims() > 1 { //combine the claims + size++ + } + size += logNbInstances // full run of sumcheck on logNbInstances variables + } + + nums := make([]string, max(len(sorted), logNbInstances)) + for i := range nums { + nums[i] = strconv.Itoa(i) + } + + challenges := make([]string, size) + + // output wire claims + firstChallengePrefix := prefix + "fC." + for j := 0; j < logNbInstances; j++ { + challenges[j] = firstChallengePrefix + nums[j] + } + j := logNbInstances + for i := len(sorted) - 1; i >= 0; i-- { + if sorted[i].noProof() { + continue + } + wirePrefix := prefix + "w" + nums[i] + "." + + if sorted[i].NbClaims() > 1 { + challenges[j] = wirePrefix + "comb" + j++ + } + + partialSumPrefix := wirePrefix + "pSP." + for k := 0; k < logNbInstances; k++ { + challenges[j] = partialSumPrefix + nums[k] + j++ + } + } + return challenges +} + +func ChallengeNamesFr[FR emulated.FieldParams](sorted []*WireFr[FR], logNbInstances int, prefix string) []string { + + // Pre-compute the size TODO: Consider not doing this and just grow the list by appending + size := logNbInstances // first challenge + + for _, w := range sorted { + if w.noProof() { // no proof, no challenge + continue + } + if w.NbClaims() > 1 { //combine the claims + size++ + } + size += logNbInstances // full run of sumcheck on logNbInstances variables + } + + nums := make([]string, max(len(sorted), logNbInstances)) + for i := range nums { + nums[i] = strconv.Itoa(i) + } + + challenges := make([]string, size) + + // output wire claims + firstChallengePrefix := prefix + "fC." + for j := 0; j < logNbInstances; j++ { + challenges[j] = firstChallengePrefix + nums[j] + } + j := logNbInstances + for i := len(sorted) - 1; i >= 0; i-- { + if sorted[i].noProof() { + continue + } + wirePrefix := prefix + "w" + nums[i] + "." + + if sorted[i].NbClaims() > 1 { + challenges[j] = wirePrefix + "comb" + j++ + } + + partialSumPrefix := wirePrefix + "pSP." + for k := 0; k < logNbInstances; k++ { + challenges[j] = partialSumPrefix + nums[k] + j++ + } + } + return challenges +} + +func getFirstChallengeNames(logNbInstances int, prefix string) []string { + res := make([]string, logNbInstances) + firstChallengePrefix := prefix + "fC." + for i := 0; i < logNbInstances; i++ { + res[i] = firstChallengePrefix + strconv.Itoa(i) + } + return res +} + +func getChallenges(transcript *fiatshamir.Transcript, names []string) (challenges []frontend.Variable, err error) { + challenges = make([]frontend.Variable, len(names)) + for i, name := range names { + if challenges[i], err = transcript.ComputeChallenge(name); err != nil { + return + } + } + return +} + +func getFirstChallengeNamesFr[FR emulated.FieldParams](logNbInstances int, prefix string) []string { + res := make([]string, logNbInstances) + firstChallengePrefix := prefix + "fC." + for i := 0; i < logNbInstances; i++ { + res[i] = firstChallengePrefix + strconv.Itoa(i) + } + return res +} + +func (v *GKRVerifier[FR]) getChallengesFr(transcript *fiatshamir.Transcript, names []string) (challenges []emulated.Element[FR], err error) { + challenges = make([]emulated.Element[FR], len(names)) + var challenge emulated.Element[FR] + var fr FR + for i, name := range names { + nativeChallenge, err := transcript.ComputeChallenge(name); + if err != nil { + return nil, fmt.Errorf("compute challenge %s: %w", names, err) + } + // TODO: when implementing better way (construct from limbs instead of bits) then change + chBts := bits.ToBinary(v.api, nativeChallenge, bits.WithNbDigits(fr.Modulus().BitLen())) + challenge = *v.f.FromBits(chBts...) + challenges[i] = challenge + + } + return challenges, nil +} + +// Prove consistency of the claimed assignment +func Prove(api frontend.API, target *big.Int, c Circuit, assignment WireAssignment, transcriptSettings fiatshamir.Settings, options ...OptionGkr) (ProofGkr, error) { + o, err := setup(api, c, assignment, transcriptSettings, options...) + if err != nil { + return nil, err + } + defer o.workers.Stop() + + claims := newClaimsManager(c, assignment, o) + + proof := make(ProofGkr, len(c)) + // firstChallenge called rho in the paper + var firstChallenge []frontend.Variable + firstChallenge, err = getChallenges(o.transcript, getFirstChallengeNames(o.nbVars, o.transcriptPrefix)) + if err != nil { + return nil, err + } + + wirePrefix := o.transcriptPrefix + "w" + var baseChallenge []frontend.Variable + for i := len(c) - 1; i >= 0; i-- { + + wire := o.sorted[i] + + if wire.IsOutput() { + claims.add(wire, firstChallenge, assignment[wire].EvaluatePool(api, firstChallenge, claims.memPool)) + } + + claim := claims.getClaim(wire) + if wire.noProof() { // input wires with one claim only + proof[i] = nativeProofGKR{ + PartialSumPolys: []polynative.Polynomial{}, + FinalEvalProof: []frontend.Variable{}, + } + } else { + if proof[i], err = SumcheckProve( + api, target, claim, fiatshamir.WithTranscript(o.transcript, wirePrefix+strconv.Itoa(i)+".", baseChallenge...), + ); err != nil { + return proof, err + } + + finalEvalProof := proof[i].FinalEvalProof.([]frontend.Variable) + baseChallenge = make([]frontend.Variable, len(finalEvalProof)) + for j := range finalEvalProof { + bytes := frontend.ToBytes(finalEvalProof[j]) + baseChallenge[j] = bytes[:] + } + } + // the verifier checks a single claim about input wires itself + claims.deleteClaim(wire) + } + + return proof, nil +} + +// Verify the consistency of the claimed output with the claimed input +// Unlike in Prove, the assignment argument need not be complete, +// Use valueOfProof[FR](proof) to convert nativeproof by prover into nonnativeproof used by in-circuit verifier +func (v *GKRVerifier[FR]) Verify(api frontend.API, c CircuitFr[FR], assignment WireAssignmentFr[FR], proof Proofs[FR], transcriptSettings fiatshamir.Settings, options []OptionFr[FR], sumcheck_opts ...VerifyOption[FR]) error { + o, err := v.setup(api, c, assignment, transcriptSettings, options, sumcheck_opts...) + if err != nil { + return err + } + sumcheck_verifier, err := NewVerifier[FR](api) + if err != nil { + return err + } + + claims := newClaimsManagerFr(c, assignment) + var firstChallenge []emulated.Element[FR] + firstChallenge, err = v.getChallengesFr(o.transcript, getFirstChallengeNamesFr[FR](o.nbVars, o.transcriptPrefix)) + if err != nil { + return err + } + + wirePrefix := o.transcriptPrefix + "w" + var baseChallenge []emulated.Element[FR] + for i := len(c) - 1; i >= 0; i-- { + wire := o.sorted[i] + + if wire.IsOutput() { + var evaluation emulated.Element[FR] + evaluationPtr, err := v.p.EvalMultilinear(polynomial.FromSlice(firstChallenge), assignment[wire]) + if err != nil { + return err + } + evaluation = *evaluationPtr + claims.add(wire, firstChallenge, evaluation) + } + + proofW := proof[i] + finalEvalProof := proofW.FinalEvalProof.([]emulated.Element[FR]) + claim := claims.getLazyClaim(wire) + + if wire.noProof() { // input wires with one claim only + // make sure the proof is empty + if len(finalEvalProof) != 0 || len(proofW.PartialSumPolys) != 0 { + return fmt.Errorf("no proof allowed for input wire with a single claim") + } + + if wire.NbClaims() == 1 { // input wire + // simply evaluate and see if it matches + var evaluation emulated.Element[FR] + evaluationPtr, err := v.p.EvalMultilinear(polynomial.FromSlice(claim.evaluationPoints[0]), assignment[wire]) + if err != nil { + return err + } + evaluation = *evaluationPtr + api.AssertIsEqual(claim.claimedEvaluations[0], evaluation) + } + } else if err = sumcheck_verifier.VerifyForGkr( + claim, proof[i], fiatshamir.WithTranscriptFr(o.transcript, wirePrefix+strconv.Itoa(i)+".", baseChallenge...), + ); err == nil { + baseChallenge = finalEvalProof + _ = baseChallenge + } else { + return err + } + claims.deleteClaim(wire) + } + return nil +} + +type IdentityGate struct{} + +func (IdentityGate) Evaluate(input ...frontend.Variable) frontend.Variable { + return input[0] +} + +func (IdentityGate) Degree() int { + return 1 +} + +// outputsList also sets the nbUniqueOutputs fields. It also sets the wire metadata. +func outputsList(c Circuit, indexes map[*Wire]int) [][]int { + res := make([][]int, len(c)) + for i := range c { + res[i] = make([]int, 0) + c[i].nbUniqueOutputs = 0 + if c[i].IsInput() { + c[i].Gate = IdentityGate{} + } + } + ins := make(map[int]struct{}, len(c)) + for i := range c { + for k := range ins { // clear map + delete(ins, k) + } + for _, in := range c[i].Inputs { + inI := indexes[in] + res[inI] = append(res[inI], i) + if _, ok := ins[inI]; !ok { + in.nbUniqueOutputs++ + ins[inI] = struct{}{} + } + } + } + return res +} + +type topSortData struct { + outputs [][]int + status []int // status > 0 indicates number of inputs left to be ready. status = 0 means ready. status = -1 means done + index map[*Wire]int + leastReady int +} + +func (d *topSortData) markDone(i int) { + + d.status[i] = -1 + + for _, outI := range d.outputs[i] { + d.status[outI]-- + if d.status[outI] == 0 && outI < d.leastReady { + d.leastReady = outI + } + } + + for d.leastReady < len(d.status) && d.status[d.leastReady] != 0 { + d.leastReady++ + } +} + +func indexMap(c Circuit) map[*Wire]int { + res := make(map[*Wire]int, len(c)) + for i := range c { + res[&c[i]] = i + } + return res +} + +func statusList(c Circuit) []int { + res := make([]int, len(c)) + for i := range c { + res[i] = len(c[i].Inputs) + } + return res +} + +type IdentityGateFr[FR emulated.FieldParams] struct{} + +func (IdentityGateFr[FR]) Evaluate(input ...emulated.Element[FR]) emulated.Element[FR] { + return input[0] +} + +func (IdentityGateFr[FR]) Degree() int { + return 1 +} + +// outputsList also sets the nbUniqueOutputs fields. It also sets the wire metadata. +func outputsListFr[FR emulated.FieldParams](c CircuitFr[FR], indexes map[*WireFr[FR]]int) [][]int { + res := make([][]int, len(c)) + for i := range c { + res[i] = make([]int, 0) + c[i].nbUniqueOutputs = 0 + if c[i].IsInput() { + c[i].Gate = IdentityGateFr[FR]{} + } + } + ins := make(map[int]struct{}, len(c)) + for i := range c { + for k := range ins { // clear map + delete(ins, k) + } + for _, in := range c[i].Inputs { + inI := indexes[in] + res[inI] = append(res[inI], i) + if _, ok := ins[inI]; !ok { + in.nbUniqueOutputs++ + ins[inI] = struct{}{} + } + } + } + return res +} + +type topSortDataFr[FR emulated.FieldParams] struct { + outputs [][]int + status []int // status > 0 indicates number of inputs left to be ready. status = 0 means ready. status = -1 means done + index map[*WireFr[FR]]int + leastReady int +} + +func (d *topSortDataFr[FR]) markDone(i int) { + + d.status[i] = -1 + + for _, outI := range d.outputs[i] { + d.status[outI]-- + if d.status[outI] == 0 && outI < d.leastReady { + d.leastReady = outI + } + } + + for d.leastReady < len(d.status) && d.status[d.leastReady] != 0 { + d.leastReady++ + } +} + +func indexMapFr[FR emulated.FieldParams](c CircuitFr[FR]) map[*WireFr[FR]]int { + res := make(map[*WireFr[FR]]int, len(c)) + for i := range c { + res[&c[i]] = i + } + return res +} + +func statusListFr[FR emulated.FieldParams](c CircuitFr[FR]) []int { + res := make([]int, len(c)) + for i := range c { + res[i] = len(c[i].Inputs) + } + return res +} + +// TODO: Have this use algo_utils.TopologicalSort underneath + +// topologicalSort sorts the wires in order of dependence. Such that for any wire, any one it depends on +// occurs before it. It tries to stick to the input order as much as possible. An already sorted list will remain unchanged. +// It also sets the nbOutput flags, and a dummy IdentityGate for input wires. +// Worst-case inefficient O(n^2), but that probably won't matter since the circuits are small. +// Furthermore, it is efficient with already-close-to-sorted lists, which are the expected input +func topologicalSort(c Circuit) []*Wire { + var data topSortData + data.index = indexMap(c) + data.outputs = outputsList(c, data.index) + data.status = statusList(c) + sorted := make([]*Wire, len(c)) + + for data.leastReady = 0; data.status[data.leastReady] != 0; data.leastReady++ { + } + + for i := range c { + sorted[i] = &c[data.leastReady] + data.markDone(data.leastReady) + } + + return sorted +} + +func (a WireAssignment) NumInstances() int { + for _, aW := range a { + if aW != nil { + return len(aW) + } + } + panic("empty assignment") +} + +func (a WireAssignment) NumVars() int { + for _, aW := range a { + if aW != nil { + return aW.NumVars() + } + } + panic("empty assignment") +} + +func topologicalSortFr[FR emulated.FieldParams](c CircuitFr[FR]) []*WireFr[FR] { + var data topSortDataFr[FR] + data.index = indexMapFr(c) + data.outputs = outputsListFr(c, data.index) + data.status = statusListFr(c) + sorted := make([]*WireFr[FR], len(c)) + + for data.leastReady = 0; data.status[data.leastReady] != 0; data.leastReady++ { + } + + for i := range c { + sorted[i] = &c[data.leastReady] + data.markDone(data.leastReady) + } + + return sorted +} + +func (a WireAssignmentFr[FR]) NumInstances() int { + for _, aW := range a { + if aW != nil { + return len(aW) + } + } + panic("empty assignment") +} + +func (a WireAssignmentFr[FR]) NumVars() int { + for _, aW := range a { + if aW != nil { + return aW.NumVars() + } + } + panic("empty assignment") +} + +func (p Proofs[FR]) Serialize() []emulated.Element[FR] { + size := 0 + for i := range p { + for j := range p[i].PartialSumPolys { + size += len(p[i].PartialSumPolys[j]) + } + size += len(p[i].FinalEvalProof.([]emulated.Element[FR])) + } + + res := make([]emulated.Element[FR], 0, size) + for i := range p { + for j := range p[i].PartialSumPolys { + res = append(res, p[i].PartialSumPolys[j]...) + } + res = append(res, p[i].FinalEvalProof.([]emulated.Element[FR])...) + } + if len(res) != size { + panic("bug") // TODO: Remove + } + return res +} + +func computeLogNbInstances[FR emulated.FieldParams](wires []*WireFr[FR], serializedProofLen int) int { + partialEvalElemsPerVar := 0 + for _, w := range wires { + if !w.noProof() { + partialEvalElemsPerVar += w.Gate.Degree() + 1 + } + serializedProofLen -= w.nbUniqueOutputs + } + return serializedProofLen / partialEvalElemsPerVar +} + +type variablesReader[FR emulated.FieldParams] []emulated.Element[FR] + +func (r *variablesReader[FR]) nextN(n int) []emulated.Element[FR] { + res := (*r)[:n] + *r = (*r)[n:] + return res +} + +func (r *variablesReader[FR]) hasNextN(n int) bool { + return len(*r) >= n +} + +func DeserializeProof[FR emulated.FieldParams](sorted []*WireFr[FR], serializedProof []emulated.Element[FR]) (Proofs[FR], error) { + proof := make(Proofs[FR], len(sorted)) + logNbInstances := computeLogNbInstances(sorted, len(serializedProof)) + + reader := variablesReader[FR](serializedProof) + for i, wI := range sorted { + if !wI.noProof() { + proof[i].PartialSumPolys = make([]polynomial.Univariate[FR], logNbInstances) + for j := range proof[i].PartialSumPolys { + proof[i].PartialSumPolys[j] = reader.nextN(wI.Gate.Degree() + 1) + } + } + proof[i].FinalEvalProof = reader.nextN(wI.nbUniqueInputs()) + } + if reader.hasNextN(1) { + return nil, fmt.Errorf("proof too long: expected %d encountered %d", len(serializedProof)-len(reader), len(serializedProof)) + } + return proof, nil +} + +type MulGate[FR emulated.FieldParams] struct{} + +func (g MulGate[FR]) Evaluate(api emuEngine[FR], x ...emulated.Element[FR]) emulated.Element[FR] { + if len(x) != 2 { + panic("mul has fan-in 2") + } + return *api.Mul(&x[0], &x[1]) +} + +// TODO: Degree must take nbInputs as an argument and return degree = nbInputs +func (g MulGate[FR]) Degree() int { + return 2 +} + +type AddGate[FR emulated.FieldParams] struct{} + +func (a AddGate[FR]) Evaluate(api emuEngine[FR], v ...emulated.Element[FR]) emulated.Element[FR] { + switch len(v) { + case 0: + return *api.Const(big.NewInt(0)) + case 1: + return v[0] + } + rest := v[2:] + res := api.Add(&v[0], &v[1]) + for _, e := range rest { + res = api.Add(res, &e) + } + return *res +} + +func (a AddGate[FR]) Degree() int { + return 1 +} + +// var Gates[FR] = map[string]Gate[FR]{ +// "identity": IdentityGate[FR]{}, +// "add": AddGate[FR]{}, +// "mul": MulGate[FR]{}, +// } + +// func Gates[FR emulated.FieldParams]() map[string]Gate[FR] { +// return map[string]Gate[FR]{ +// "identity": IdentityGate[FR]{}, +// "add": AddGate[FR]{}, +// "mul": MulGate[FR]{}, +// } +// } \ No newline at end of file diff --git a/std/recursion/sumcheck/polynomial.go b/std/recursion/sumcheck/polynomial.go index aaeb318fe4..2025b2329d 100644 --- a/std/recursion/sumcheck/polynomial.go +++ b/std/recursion/sumcheck/polynomial.go @@ -83,3 +83,84 @@ func eqAcc(api *bigIntEngine, e nativeMultilinear, m nativeMultilinear, q []*big } return e } + +// func (m nonNativeMultilinear[FR]) Clone() nonNativeMultilinear[FR] { +// clone := make(nonNativeMultilinear[FR], len(m)) +// for i := range m { +// clone[i] = new(emulated.Element[FR]) +// *clone[i] = *m[i] +// } +// return clone +// } + +// // fold fixes the value of m's first variable to at, thus halving m's required bookkeeping table size +// // WARNING: The user should halve m themselves after the call +// func (m nonNativeMultilinear[FR]) fold(api emuEngine[FR], at emulated.Element[FR]) { +// zero := m[:len(m)/2] +// one := m[len(m)/2:] +// for j := range zero { +// diff := api.Sub(one[j], zero[j]) +// zero[j] = api.MulAcc(zero[j], diff, &at) +// } +// } + +// // foldScaled(m, at) = fold(m, at) / (1 - at) +// // it returns 1 - at, for convenience +// func (m nonNativeMultilinear[FR]) foldScaled(api emuEngine[FR], at emulated.Element[FR]) (denom emulated.Element[FR]) { +// denom = *api.Sub(api.One(), &at) +// coeff := *api.Div(&at, &denom) +// zero := m[:len(m)/2] +// one := m[len(m)/2:] +// for j := range zero { +// zero[j] = api.MulAcc(zero[j], one[j], &coeff) +// } +// return +// } + +// var minFoldScaledLogSize = 16 + +// // Evaluate assumes len(m) = 1 << len(at) +// // it doesn't modify m +// func (m nonNativeMultilinear[FR]) EvaluateFR(api emuEngine[FR], at []emulated.Element[FR]) emulated.Element[FR] { +// _m := m.Clone() + +// /*minFoldScaledLogSize := 16 +// if api is r1cs { +// minFoldScaledLogSize = math.MaxInt64 // no scaling for r1cs +// }*/ + +// scaleCorrectionFactor := api.One() +// // at each iteration fold by at[i] +// for len(_m) > 1 { +// if len(_m) >= minFoldScaledLogSize { +// denom := _m.foldScaled(api, at[0]) +// scaleCorrectionFactor = api.Mul(scaleCorrectionFactor, &denom) +// } else { +// _m.fold(api, at[0]) +// } +// _m = _m[:len(_m)/2] +// at = at[1:] +// } + +// if len(at) != 0 { +// panic("incompatible evaluation vector size") +// } + +// return *api.Mul(_m[0], scaleCorrectionFactor) +// } + +// // EvalEq returns Πⁿ₁ Eq(xᵢ, yᵢ) = Πⁿ₁ xᵢyᵢ + (1-xᵢ)(1-yᵢ) = Πⁿ₁ (1 + 2xᵢyᵢ - xᵢ - yᵢ). Is assumes len(x) = len(y) =: n +// func EvalEqFR[FR emulated.FieldParams](api emuEngine[FR], x, y []emulated.Element[FR]) (eq emulated.Element[FR]) { + +// eq = *api.One() +// for i := range x { +// next := api.Mul(&x[i], &y[i]) +// next = api.Add(next, next) +// next = api.Add(next, api.One()) +// next = api.Sub(next, &x[i]) +// next = api.Sub(next, &y[i]) + +// eq = *api.Mul(&eq, next) +// } +// return +// } \ No newline at end of file diff --git a/std/recursion/sumcheck/proof.go b/std/recursion/sumcheck/proof.go index cdba88cc7d..1d3e2813a9 100644 --- a/std/recursion/sumcheck/proof.go +++ b/std/recursion/sumcheck/proof.go @@ -3,6 +3,7 @@ package sumcheck import ( "github.com/consensys/gnark/std/math/emulated" "github.com/consensys/gnark/std/math/polynomial" + polynative "github.com/consensys/gnark/std/polynomial" ) // Proof contains the prover messages in the sumcheck protocol. @@ -19,6 +20,16 @@ type nativeProof struct { FinalEvalProof nativeEvaluationProof } +type nativeProofGKR struct { + PartialSumPolys []polynative.Polynomial + FinalEvalProof nativeEvaluationProof +} + +type nonNativeProofGKR[FR emulated.FieldParams] struct { + PartialSumPolys []polynomial.Univariate[FR] + FinalEvalProof nativeEvaluationProof +} + // EvaluationProof is proof for allowing the sumcheck verifier to perform the // final evaluation needed to complete the check. It is untyped as it depends // how the final evaluation is implemented: diff --git a/std/recursion/sumcheck/prover.go b/std/recursion/sumcheck/prover.go index c075cf1530..bbf2ac0c15 100644 --- a/std/recursion/sumcheck/prover.go +++ b/std/recursion/sumcheck/prover.go @@ -3,8 +3,14 @@ package sumcheck import ( "fmt" "math/big" + "slices" + "strconv" fiatshamir "github.com/consensys/gnark-crypto/fiat-shamir" + "github.com/consensys/gnark/frontend" + fiatshamirGnark "github.com/consensys/gnark/std/fiat-shamir" + "github.com/consensys/gnark/std/math/bits" + "github.com/consensys/gnark/std/polynomial" "github.com/consensys/gnark/std/recursion" ) @@ -88,3 +94,91 @@ func prove(current *big.Int, target *big.Int, claims claims, opts ...proverOptio return proof, nil } + +// todo change this bind as limbs instead of bits, ask @arya if necessary +// bindChallenge binds the values for challengeName using in-circuit Fiat-Shamir transcript. +func bindChallenge(api frontend.API, targetModulus *big.Int, fs *fiatshamirGnark.Transcript, challengeName string, values []frontend.Variable) error { + for i := range values { + bts := bits.ToBinary(api, values[i], bits.WithNbDigits(targetModulus.BitLen())) + slices.Reverse(bts) + if err := fs.Bind(challengeName, bts); err != nil { + return fmt.Errorf("bind challenge %s %d: %w", challengeName, i, err) + } + } + return nil +} + +func setupTranscript(api frontend.API, targetModulus *big.Int, claimsNum int, varsNum int, settings *fiatshamirGnark.Settings) ([]string, error) { + + numChallenges := varsNum + if claimsNum >= 2 { + numChallenges++ + } + challengeNames := make([]string, numChallenges) + if claimsNum >= 2 { + challengeNames[0] = settings.Prefix + "comb" + } + prefix := settings.Prefix + "pSP." + for i := 0; i < varsNum; i++ { + challengeNames[i+numChallenges-varsNum] = prefix + strconv.Itoa(i) + } + // todo check if settings.Transcript is nil + if settings.Transcript == nil { + var err error + settings.Transcript, err = recursion.NewTranscript(api, targetModulus, challengeNames) // not passing settings.hash check + if err != nil { + return nil, err + } + } + + return challengeNames, bindChallenge(api, targetModulus, settings.Transcript, challengeNames[0], settings.BaseChallenges) +} + +func next(transcript *fiatshamirGnark.Transcript, bindings []frontend.Variable, remainingChallengeNames *[]string) (frontend.Variable, error) { + challengeName := (*remainingChallengeNames)[0] + if err := transcript.Bind(challengeName, bindings); err != nil { + return nil, err + } + + res, err := transcript.ComputeChallenge(challengeName) + *remainingChallengeNames = (*remainingChallengeNames)[1:] + return res, err +} + +// Prove create a non-interactive sumcheck proof +func SumcheckProve(api frontend.API, targetModulus *big.Int, claims claimsVar, transcriptSettings fiatshamirGnark.Settings) (nativeProofGKR, error) { + + var proof nativeProofGKR + remainingChallengeNames, err := setupTranscript(api, targetModulus, claims.NbClaims(), claims.NbVars(), &transcriptSettings) + transcript := transcriptSettings.Transcript + if err != nil { + return proof, err + } + + var combinationCoeff frontend.Variable + if claims.NbClaims() >= 2 { + if combinationCoeff, err = next(transcript, []frontend.Variable{}, &remainingChallengeNames); err != nil { + return proof, err + } + } + + varsNum := claims.NbVars() + proof.PartialSumPolys = make([]polynomial.Polynomial, varsNum) + proof.PartialSumPolys[0] = claims.Combine(api, &combinationCoeff) + challenges := make([]frontend.Variable, varsNum) + + for j := 0; j+1 < varsNum; j++ { + if challenges[j], err = next(transcript, proof.PartialSumPolys[j], &remainingChallengeNames); err != nil { + return proof, err + } + proof.PartialSumPolys[j+1] = claims.Next(api, &challenges[j]) + } + + if challenges[varsNum-1], err = next(transcript, proof.PartialSumPolys[varsNum-1], &remainingChallengeNames); err != nil { + return proof, err + } + + proof.FinalEvalProof = claims.ProverFinalEval(api, challenges) + + return proof, nil +} \ No newline at end of file diff --git a/std/recursion/sumcheck/verifier.go b/std/recursion/sumcheck/verifier.go index 6674453ea8..265af0f18f 100644 --- a/std/recursion/sumcheck/verifier.go +++ b/std/recursion/sumcheck/verifier.go @@ -2,8 +2,9 @@ package sumcheck import ( "fmt" - + "strconv" "github.com/consensys/gnark/frontend" + fiatshamir "github.com/consensys/gnark/std/fiat-shamir" "github.com/consensys/gnark/std/math/emulated" "github.com/consensys/gnark/std/math/polynomial" "github.com/consensys/gnark/std/recursion" @@ -16,6 +17,38 @@ type config struct { // Option allows to alter the sumcheck verifier behaviour. type Option func(c *config) error +func (v *Verifier[FR]) setupTranscript(claimsNum int, varsNum int, settings *fiatshamir.SettingsFr[FR]) ([]string, error) { + var fr FR + numChallenges := varsNum + if claimsNum >= 2 { + numChallenges++ + } + challengeNames := make([]string, numChallenges) + if claimsNum >= 2 { + challengeNames[0] = settings.Prefix + "comb" + } + prefix := settings.Prefix + "pSP." + for i := 0; i < varsNum; i++ { + challengeNames[i+numChallenges-varsNum] = prefix + strconv.Itoa(i) + } + // todo check if settings.Transcript is nil + if settings.Transcript == nil { + var err error + settings.Transcript, err = recursion.NewTranscript(v.api, fr.Modulus(), challengeNames) // not passing settings.hash check + if err != nil { + return nil, err + } + } + + return challengeNames, v.bindChallenge(settings.Transcript, challengeNames[0], settings.BaseChallenges) +} + +func (v *Verifier[FR]) next(transcript *fiatshamir.Transcript, bindings []emulated.Element[FR], remainingChallengeNames *[]string) (emulated.Element[FR], error) { + challenge, newRemainingChallengeNames, err := v.deriveChallenge(transcript, *remainingChallengeNames, bindings) + *remainingChallengeNames = newRemainingChallengeNames + return *challenge, err +} + // WithClaimPrefix prepends the given string to the challenge names when // computing the challenges inside the sumcheck verifier. The option is used in // a higher level protocols to ensure that sumcheck claims are not interchanged. @@ -179,3 +212,55 @@ func (v *Verifier[FR]) Verify(claims LazyClaims[FR], proof Proof[FR], opts ...Ve return nil } + +// VerifyForGkr verifies the sumcheck proof for the given (lazy) claims. +func (v *Verifier[FR]) VerifyForGkr(claims LazyClaimsVar[FR], proof nonNativeProofGKR[FR], transcriptSettings fiatshamir.SettingsFr[FR]) error { + + remainingChallengeNames, err := v.setupTranscript(claims.NbClaims(), claims.NbVars(), &transcriptSettings) + transcript := transcriptSettings.Transcript + if err != nil { + return err + } + + var combinationCoef emulated.Element[FR] + + if claims.NbClaims() >= 2 { + if combinationCoef, err = v.next(transcript, []emulated.Element[FR]{}, &remainingChallengeNames); err != nil { + return err + } + } + + r := make([]emulated.Element[FR], claims.NbVars()) + + // Just so that there is enough room for gJ to be reused + maxDegree := claims.Degree(0) + for j := 1; j < claims.NbVars(); j++ { + if d := claims.Degree(j); d > maxDegree { + maxDegree = d + } + } + + gJ := make([]*emulated.Element[FR], maxDegree+1) //At the end of iteration j, gJ = ∑_{i < 2ⁿ⁻ʲ⁻¹} g(X₁, ..., Xⱼ₊₁, i...) NOTE: n is shorthand for claims.VarsNum() + // gJR is the claimed value. In case of multiple claims it is combined + // claimed value we're going to check against. + gJR := claims.CombinedSum(&combinationCoef) + + for j := 0; j < claims.NbVars(); j++ { + partialSumPoly := proof.PartialSumPolys[j] //proof.PartialSumPolys(j) + if len(partialSumPoly) != claims.Degree(j) { + return fmt.Errorf("malformed proof") //Malformed proof + } + copy(polynomial.FromSliceReferences(gJ[1:]), partialSumPoly) + gJ[0] = v.f.Sub(gJR, &partialSumPoly[0]) // Requirement that gⱼ(0) + gⱼ(1) = gⱼ₋₁(r) + // gJ is ready + + //Prepare for the next iteration + if r[j], err = v.next(transcript, proof.PartialSumPolys[j], &remainingChallengeNames); err != nil { + return err + } + + gJR = v.p.InterpolateLDE(&r[j], gJ[:(claims.Degree(j)+1)]) + } + + return claims.VerifyFinalEval(r, combinationCoef, *gJR, proof.FinalEvalProof) +} \ No newline at end of file diff --git a/std/sumcheck/sumcheck.go b/std/sumcheck/sumcheck.go index de3689cbb8..6d5b95b572 100644 --- a/std/sumcheck/sumcheck.go +++ b/std/sumcheck/sumcheck.go @@ -14,7 +14,7 @@ type LazyClaims interface { ClaimsNum() int // ClaimsNum = m VarsNum() int // VarsNum = n CombinedSum(api frontend.API, a frontend.Variable) frontend.Variable // CombinedSum returns c = ∑_{1≤j≤m} aʲ⁻¹cⱼ - Degree(i int) int //Degree of the total claim in the i'th variable + Degree(i int) int // Degree of the total claim in the i'th variable VerifyFinalEval(api frontend.API, r []frontend.Variable, combinationCoeff, purportedValue frontend.Variable, proof interface{}) error } @@ -81,7 +81,7 @@ func Verify(api frontend.API, claims LazyClaims, proof Proof, transcriptSettings } } - gJ := make(polynomial.Polynomial, maxDegree+1) //At the end of iteration j, gJ = ∑_{i < 2ⁿ⁻ʲ⁻¹} g(X₁, ..., Xⱼ₊₁, i...) NOTE: n is shorthand for claims.VarsNum() + gJ := make(polynomial.Polynomial, maxDegree+1) // At the end of iteration j, gJ = ∑_{i < 2ⁿ⁻ʲ⁻¹} g(X₁, ..., Xⱼ₊₁, i...) NOTE: n is shorthand for claims.VarsNum() gJR := claims.CombinedSum(api, combinationCoeff) // At the beginning of iteration j, gJR = ∑_{i < 2ⁿ⁻ʲ} g(r₁, ..., rⱼ, i...) for j := 0; j < claims.VarsNum(); j++ { From 2825fdc8b6d94391f9587de77eb2426886ff9472 Mon Sep 17 00:00:00 2001 From: amit0365 Date: Wed, 12 Jun 2024 15:09:17 -0400 Subject: [PATCH 02/26] removed unused fns --- std/recursion/sumcheck/gkr_nonnative.go | 29 +------------------------ 1 file changed, 1 insertion(+), 28 deletions(-) diff --git a/std/recursion/sumcheck/gkr_nonnative.go b/std/recursion/sumcheck/gkr_nonnative.go index 0dc3db42a1..d1f0dcd8b1 100644 --- a/std/recursion/sumcheck/gkr_nonnative.go +++ b/std/recursion/sumcheck/gkr_nonnative.go @@ -673,24 +673,6 @@ func (v *GKRVerifier[FR]) bindChallenge(fs *fiatshamir.Transcript, challengeName return nil } -// deriveChallenge binds the values for challengeName and then returns the -// challenge using in-circuit Fiat-Shamir transcript. It also returns the rest -// of the challenge names for used in the protocol. -func (v *GKRVerifier[FR]) deriveChallenge(fs *fiatshamir.Transcript, challengeNames []string, values []emulated.Element[FR]) (challenge *emulated.Element[FR], restChallengeNames []string, err error) { - var fr FR - if err = v.bindChallenge(fs, challengeNames[0], values); err != nil { - return nil, nil, fmt.Errorf("bind: %w", err) - } - nativeChallenge, err := fs.ComputeChallenge(challengeNames[0]) - if err != nil { - return nil, nil, fmt.Errorf("compute challenge %s: %w", challengeNames[0], err) - } - // TODO: when implementing better way (construct from limbs instead of bits) then change - chBts := bits.ToBinary(v.api, nativeChallenge, bits.WithNbDigits(fr.Modulus().BitLen())) - challenge = v.f.FromBits(chBts...) - return challenge, challengeNames[1:], nil -} - func (v *GKRVerifier[FR]) setup(api frontend.API, c CircuitFr[FR], assignment WireAssignmentFr[FR], transcriptSettings fiatshamir.Settings, options []OptionFr[FR], sumcheck_opts ...VerifyOption[FR]) (settingsFr[FR], error) { var fr FR var o settingsFr[FR] @@ -866,15 +848,6 @@ func getChallenges(transcript *fiatshamir.Transcript, names []string) (challenge return } -func getFirstChallengeNamesFr[FR emulated.FieldParams](logNbInstances int, prefix string) []string { - res := make([]string, logNbInstances) - firstChallengePrefix := prefix + "fC." - for i := 0; i < logNbInstances; i++ { - res[i] = firstChallengePrefix + strconv.Itoa(i) - } - return res -} - func (v *GKRVerifier[FR]) getChallengesFr(transcript *fiatshamir.Transcript, names []string) (challenges []emulated.Element[FR], err error) { challenges = make([]emulated.Element[FR], len(names)) var challenge emulated.Element[FR] @@ -963,7 +936,7 @@ func (v *GKRVerifier[FR]) Verify(api frontend.API, c CircuitFr[FR], assignment W claims := newClaimsManagerFr(c, assignment) var firstChallenge []emulated.Element[FR] - firstChallenge, err = v.getChallengesFr(o.transcript, getFirstChallengeNamesFr[FR](o.nbVars, o.transcriptPrefix)) + firstChallenge, err = v.getChallengesFr(o.transcript, getFirstChallengeNames(o.nbVars, o.transcriptPrefix)) if err != nil { return err } From 94a68668ef212647ba0a5eb8aa1c388677145804 Mon Sep 17 00:00:00 2001 From: amit0365 Date: Wed, 12 Jun 2024 22:08:03 -0400 Subject: [PATCH 03/26] added some tests --- std/fiat-shamir/settings.go | 7 + std/math/emulated/element.go | 4 + std/recursion/sumcheck/claim_intf.go | 2 +- std/recursion/sumcheck/gkr_nonnative.go | 48 +- std/recursion/sumcheck/gkr_nonnative_test.go | 712 ++++++++++++++++++ std/recursion/sumcheck/proof.go | 4 +- .../mimc_five_levels_two_instances._json | 7 + .../resources/mimc_five_levels.json | 36 + .../resources/single_identity_gate.json | 10 + .../single_input_two_identity_gates.json | 14 + .../resources/single_input_two_outs.json | 14 + .../resources/single_mimc_gate.json | 7 + .../resources/single_mul_gate.json | 14 + ..._identity_gates_composed_single_input.json | 14 + .../two_inputs_select-input-3_gate.json | 14 + .../single_identity_gate_two_instances.json | 36 + ...nput_two_identity_gates_two_instances.json | 56 ++ .../single_input_two_outs_two_instances.json | 57 ++ .../single_mimc_gate_four_instances.json | 67 ++ .../single_mimc_gate_two_instances.json | 51 ++ .../single_mul_gate_two_instances.json | 46 ++ ...s_composed_single_input_two_instances.json | 47 ++ ...uts_select-input-3_gate_two_instances.json | 45 ++ 23 files changed, 1283 insertions(+), 29 deletions(-) create mode 100644 std/recursion/sumcheck/gkr_nonnative_test.go create mode 100644 std/recursion/sumcheck/test_vectors/mimc_five_levels_two_instances._json create mode 100644 std/recursion/sumcheck/test_vectors/resources/mimc_five_levels.json create mode 100644 std/recursion/sumcheck/test_vectors/resources/single_identity_gate.json create mode 100644 std/recursion/sumcheck/test_vectors/resources/single_input_two_identity_gates.json create mode 100644 std/recursion/sumcheck/test_vectors/resources/single_input_two_outs.json create mode 100644 std/recursion/sumcheck/test_vectors/resources/single_mimc_gate.json create mode 100644 std/recursion/sumcheck/test_vectors/resources/single_mul_gate.json create mode 100644 std/recursion/sumcheck/test_vectors/resources/two_identity_gates_composed_single_input.json create mode 100644 std/recursion/sumcheck/test_vectors/resources/two_inputs_select-input-3_gate.json create mode 100644 std/recursion/sumcheck/test_vectors/single_identity_gate_two_instances.json create mode 100644 std/recursion/sumcheck/test_vectors/single_input_two_identity_gates_two_instances.json create mode 100644 std/recursion/sumcheck/test_vectors/single_input_two_outs_two_instances.json create mode 100644 std/recursion/sumcheck/test_vectors/single_mimc_gate_four_instances.json create mode 100644 std/recursion/sumcheck/test_vectors/single_mimc_gate_two_instances.json create mode 100644 std/recursion/sumcheck/test_vectors/single_mul_gate_two_instances.json create mode 100644 std/recursion/sumcheck/test_vectors/two_identity_gates_composed_single_input_two_instances.json create mode 100644 std/recursion/sumcheck/test_vectors/two_inputs_select-input-3_gate_two_instances.json diff --git a/std/fiat-shamir/settings.go b/std/fiat-shamir/settings.go index 287aa1a20c..3b712b02b4 100644 --- a/std/fiat-shamir/settings.go +++ b/std/fiat-shamir/settings.go @@ -42,3 +42,10 @@ func WithHash(hash hash.FieldHasher, baseChallenges ...frontend.Variable) Settin Hash: hash, } } + +func WithHashFr[FR emulated.FieldParams](hash hash.FieldHasher, baseChallenges ...emulated.Element[FR]) SettingsFr[FR] { + return SettingsFr[FR]{ + BaseChallenges: baseChallenges, + Hash: hash, + } +} \ No newline at end of file diff --git a/std/math/emulated/element.go b/std/math/emulated/element.go index fdcfb9a958..f7ac0bb43d 100644 --- a/std/math/emulated/element.go +++ b/std/math/emulated/element.go @@ -124,4 +124,8 @@ func FromBits[FR FieldParams](api frontend.API, bs ...frontend.Variable) *Elemen } limbs[nbLimbs-1] = bits.FromBinary(api, bs[(nbLimbs-1)*fParams.BitsPerLimb():]) return newInternalElement[FR](limbs, 0) +} + +func CreateConstElement[T FieldParams](v interface{}) *Element[T] { + return newConstElement[T](v) } \ No newline at end of file diff --git a/std/recursion/sumcheck/claim_intf.go b/std/recursion/sumcheck/claim_intf.go index 03a76e68fd..3511ac39a7 100644 --- a/std/recursion/sumcheck/claim_intf.go +++ b/std/recursion/sumcheck/claim_intf.go @@ -69,5 +69,5 @@ type LazyClaimsVar[FR emulated.FieldParams] interface { // Degree returns the maximum degree of the variable i-th variable. Degree(i int) int // AssertEvaluation (lazily) asserts the correctness of the evaluation value expectedValue of the claim at r. - VerifyFinalEval(r []emulated.Element[FR], combinationCoeff, purportedValue emulated.Element[FR], proof interface{}) error + VerifyFinalEval(r []emulated.Element[FR], combinationCoeff, purportedValue emulated.Element[FR], proof EvaluationProofFr[FR]) error } \ No newline at end of file diff --git a/std/recursion/sumcheck/gkr_nonnative.go b/std/recursion/sumcheck/gkr_nonnative.go index d1f0dcd8b1..d31c2f0f8e 100644 --- a/std/recursion/sumcheck/gkr_nonnative.go +++ b/std/recursion/sumcheck/gkr_nonnative.go @@ -21,6 +21,11 @@ import ( // The goal is to prove/verify evaluations of many instances of the same circuit +// type gateinput struct { +// api arithEngine +// element ...emulated.Element +// } + // Gate must be a low-degree polynomial type Gate interface { Evaluate(...frontend.Variable) frontend.Variable // removed api ? @@ -35,7 +40,7 @@ type Wire struct { // Gate must be a low-degree polynomial type GateFr[FR emulated.FieldParams] interface { - Evaluate(...emulated.Element[FR]) emulated.Element[FR] // removed api ? + Evaluate(emuEngine[FR], ...emulated.Element[FR]) emulated.Element[FR] // removed api ? Degree() int } @@ -129,8 +134,8 @@ type eqTimesGateEvalSumcheckLazyClaimsFr[FR emulated.FieldParams] struct { verifier *GKRVerifier[FR] } -func (e *eqTimesGateEvalSumcheckLazyClaimsFr[FR]) VerifyFinalEval(r []emulated.Element[FR], combinationCoeff, purportedValue emulated.Element[FR], proof interface{}) error { - inputEvaluationsNoRedundancy := proof.([]emulated.Element[FR]) +func (e *eqTimesGateEvalSumcheckLazyClaimsFr[FR]) VerifyFinalEval(r []emulated.Element[FR], combinationCoeff, purportedValue emulated.Element[FR], proof EvaluationProofFr[FR]) error { + inputEvaluationsNoRedundancy := proof p, err := polynomial.New[FR](e.verifier.api) if err != nil { @@ -174,7 +179,7 @@ func (e *eqTimesGateEvalSumcheckLazyClaimsFr[FR]) VerifyFinalEval(r []emulated.E if proofI != len(inputEvaluationsNoRedundancy) { return fmt.Errorf("%d input wire evaluations given, %d expected", len(inputEvaluationsNoRedundancy), proofI) } - gateEvaluation = e.wire.Gate.Evaluate(inputEvaluations...) + gateEvaluation = e.wire.Gate.Evaluate(e.verifier.engine, inputEvaluations...) } evaluation = p.Mul(evaluation, &gateEvaluation) @@ -199,7 +204,7 @@ func (e *eqTimesGateEvalSumcheckLazyClaimsFr[FR]) Degree(int) int { return 1 + e.wire.Gate.Degree() } -func (e *eqTimesGateEvalSumcheckLazyClaimsFr[FR]) AssertEvaluation(r []*emulated.Element[FR], combinationCoeff, expectedValue *emulated.Element[FR], proof EvaluationProof) error { +func (e *eqTimesGateEvalSumcheckLazyClaimsFr[FR]) AssertEvaluation(r []*emulated.Element[FR], combinationCoeff, expectedValue *emulated.Element[FR], proof EvaluationProofFr[FR]) error { val, err := e.verifier.p.EvalMultilinear(r, e.manager.assignment[e.wire]) if err != nil { return fmt.Errorf("evaluation error: %w", err) @@ -533,8 +538,6 @@ func setup(api frontend.API, c Circuit, assignment WireAssignment, transcriptSet option(&o) } - - o.nbVars = assignment.NumVars() nbInstances := assignment.NumInstances() if 1< Date: Thu, 13 Jun 2024 16:25:20 -0400 Subject: [PATCH 04/26] Debugged nil elements -m added verifier in claimsmaanager and popoulated it in verify -m using emulated.assertequal in verify -m removed unused frombits in element as @arya pointed -m --- std/math/emulated/element.go | 23 --- std/recursion/sumcheck/gkr_nonnative.go | 8 +- std/recursion/sumcheck/gkr_nonnative_test.go | 162 +------------------ std/recursion/sumcheck/verifier.go | 9 +- 4 files changed, 14 insertions(+), 188 deletions(-) diff --git a/std/math/emulated/element.go b/std/math/emulated/element.go index f7ac0bb43d..6ad12d7942 100644 --- a/std/math/emulated/element.go +++ b/std/math/emulated/element.go @@ -6,7 +6,6 @@ import ( "github.com/consensys/gnark/frontend" "github.com/consensys/gnark/internal/utils" - "github.com/consensys/gnark/std/math/bits" ) // Element defines an element in the ring of integers modulo n. The integer @@ -106,26 +105,4 @@ func (e *Element[T]) copy() *Element[T] { r.overflow = e.overflow r.internal = e.internal return &r -} - -// newInternalElement sets the limbs and overflow. Given as a function for later -// possible refactor. -func newInternalElement[T FieldParams](limbs []frontend.Variable, overflow uint) *Element[T] { - return &Element[T]{Limbs: limbs, overflow: overflow, internal: true} -} - -// FromBits returns a new Element given the bits is little-endian order. -func FromBits[FR FieldParams](api frontend.API, bs ...frontend.Variable) *Element[FR] { - var fParams FR - nbLimbs := (uint(len(bs)) + fParams.BitsPerLimb() - 1) / fParams.BitsPerLimb() - limbs := make([]frontend.Variable, nbLimbs) - for i := uint(0); i < nbLimbs-1; i++ { - limbs[i] = bits.FromBinary(api, bs[i*fParams.BitsPerLimb():(i+1)*fParams.BitsPerLimb()]) - } - limbs[nbLimbs-1] = bits.FromBinary(api, bs[(nbLimbs-1)*fParams.BitsPerLimb():]) - return newInternalElement[FR](limbs, 0) -} - -func CreateConstElement[T FieldParams](v interface{}) *Element[T] { - return newConstElement[T](v) } \ No newline at end of file diff --git a/std/recursion/sumcheck/gkr_nonnative.go b/std/recursion/sumcheck/gkr_nonnative.go index d31c2f0f8e..02dda334e2 100644 --- a/std/recursion/sumcheck/gkr_nonnative.go +++ b/std/recursion/sumcheck/gkr_nonnative.go @@ -219,7 +219,7 @@ type claimsManagerFr[FR emulated.FieldParams] struct { assignment WireAssignmentFr[FR] } -func newClaimsManagerFr[FR emulated.FieldParams](c CircuitFr[FR], assignment WireAssignmentFr[FR]) (claims claimsManagerFr[FR]) { +func newClaimsManagerFr[FR emulated.FieldParams](c CircuitFr[FR], assignment WireAssignmentFr[FR], verifier GKRVerifier[FR]) (claims claimsManagerFr[FR]) { claims.assignment = assignment claims.claimsMap = make(map[*WireFr[FR]]*eqTimesGateEvalSumcheckLazyClaimsFr[FR], len(c)) @@ -231,6 +231,8 @@ func newClaimsManagerFr[FR emulated.FieldParams](c CircuitFr[FR], assignment Wir evaluationPoints: make([][]emulated.Element[FR], 0, wire.NbClaims()), claimedEvaluations: make(polynomial.Multilinear[FR], wire.NbClaims()), manager: &claims, + verifier: &verifier, + } } return @@ -938,7 +940,7 @@ func (v *GKRVerifier[FR]) Verify(api frontend.API, c CircuitFr[FR], assignment W return err } - claims := newClaimsManagerFr(c, assignment) + claims := newClaimsManagerFr(c, assignment, *v) var firstChallenge []emulated.Element[FR] firstChallenge, err = v.getChallengesFr(o.transcript, getFirstChallengeNames(o.nbVars, o.transcriptPrefix)) if err != nil { @@ -978,7 +980,7 @@ func (v *GKRVerifier[FR]) Verify(api frontend.API, c CircuitFr[FR], assignment W return err } evaluation = *evaluationPtr - api.AssertIsEqual(claim.claimedEvaluations[0], evaluation) + v.f.AssertIsEqual(&claim.claimedEvaluations[0], &evaluation) } } else if err = sumcheck_verifier.VerifyForGkr( claim, proof[i], fiatshamir.WithTranscriptFr(o.transcript, wirePrefix+strconv.Itoa(i)+".", baseChallenge...), diff --git a/std/recursion/sumcheck/gkr_nonnative_test.go b/std/recursion/sumcheck/gkr_nonnative_test.go index 64d4a9c78e..48d95c1900 100644 --- a/std/recursion/sumcheck/gkr_nonnative_test.go +++ b/std/recursion/sumcheck/gkr_nonnative_test.go @@ -147,7 +147,7 @@ func (c *GkrVerifierCircuitFr) Define(api frontend.API) error { assignment := makeInOutAssignment(testCase.Circuit, c.Input, c.Output) // initiating hash in bitmode, remove and do it with hashdescription instead - h, err := recursion.NewHash(api, fr.Modulus(), true) + hsh, err := recursion.NewHash(api, fr.Modulus(), true) if err != nil { return err } @@ -160,7 +160,7 @@ func (c *GkrVerifierCircuitFr) Define(api frontend.API) error { // } // } - return v.Verify(api, testCase.Circuit, assignment, proof, fiatshamir.WithHashFr[FR](h)) + return v.Verify(api, testCase.Circuit, assignment, proof, fiatshamir.WithHashFr[FR](hsh)) } func makeInOutAssignment[FR emulated.FieldParams](c CircuitFr[FR], inputValues [][]emulated.Element[FR], outputValues [][]emulated.Element[FR]) WireAssignmentFr[FR] { @@ -416,9 +416,9 @@ func TestTopSortWide(t *testing.T) { func ToVariableFr[FR emulated.FieldParams](v interface{}) emulated.Element[FR] { switch vT := v.(type) { case float64: - return *emulated.CreateConstElement[FR](int(vT)) + return *new(emulated.Field[FR]).NewElement(int(vT)) default: - return *emulated.CreateConstElement[FR](v) + return *new(emulated.Field[FR]).NewElement(v) } } @@ -556,157 +556,3 @@ func (m MiMCCipherGate) Degree() int { return 7 } -// type PrintableProof []PrintableSumcheckProof - -// type PrintableSumcheckProof struct { -// FinalEvalProof interface{} `json:"finalEvalProof"` -// PartialSumPolys [][]interface{} `json:"partialSumPolys"` -// } - -// func unmarshalProof(printable PrintableProof) (Proof, error) { -// proof := make(Proof, len(printable)) -// for i := range printable { -// finalEvalProof := []fr.Element(nil) - -// if printable[i].FinalEvalProof != nil { -// finalEvalSlice := reflect.ValueOf(printable[i].FinalEvalProof) -// finalEvalProof = make([]fr.Element, finalEvalSlice.Len()) -// for k := range finalEvalProof { -// if _, err := test_vector_utils.SetElement(&finalEvalProof[k], finalEvalSlice.Index(k).Interface()); err != nil { -// return nil, err -// } -// } -// } - -// proof[i] = sumcheck.Proof{ -// PartialSumPolys: make([]polynomial.Polynomial, len(printable[i].PartialSumPolys)), -// FinalEvalProof: finalEvalProof, -// } -// for k := range printable[i].PartialSumPolys { -// var err error -// if proof[i].PartialSumPolys[k], err = test_vector_utils.SliceToElementSlice(printable[i].PartialSumPolys[k]); err != nil { -// return nil, err -// } -// } -// } -// return proof, nil -// } - -// type TestCase struct { -// Circuit Circuit -// Hash hash.Hash -// Proof Proof -// FullAssignment WireAssignment -// InOutAssignment WireAssignment -// } - -// type TestCaseInfo struct { -// Hash test_vector_utils.HashDescription `json:"hash"` -// Circuit string `json:"circuit"` -// Input [][]interface{} `json:"input"` -// Output [][]interface{} `json:"output"` -// Proof PrintableProof `json:"proof"` -// } - -// var testCases = make(map[string]*TestCase) - -// func newTestCase(path string) (*TestCase, error) { -// path, err := filepath.Abs(path) -// if err != nil { -// return nil, err -// } -// dir := filepath.Dir(path) - -// tCase, ok := testCases[path] -// if !ok { -// var bytes []byte -// if bytes, err = os.ReadFile(path); err == nil { -// var info TestCaseInfo -// err = json.Unmarshal(bytes, &info) -// if err != nil { -// return nil, err -// } - -// var circuit Circuit -// if circuit, err = getCircuit(filepath.Join(dir, info.Circuit)); err != nil { -// return nil, err -// } -// var _hash hash.Hash -// if _hash, err = test_vector_utils.HashFromDescription(info.Hash); err != nil { -// return nil, err -// } -// var proof Proof -// if proof, err = unmarshalProof(info.Proof); err != nil { -// return nil, err -// } - -// fullAssignment := make(WireAssignment) -// inOutAssignment := make(WireAssignment) - -// sorted := topologicalSort(circuit) - -// inI, outI := 0, 0 -// for _, w := range sorted { -// var assignmentRaw []interface{} -// if w.IsInput() { -// if inI == len(info.Input) { -// return nil, fmt.Errorf("fewer input in vector than in circuit") -// } -// assignmentRaw = info.Input[inI] -// inI++ -// } else if w.IsOutput() { -// if outI == len(info.Output) { -// return nil, fmt.Errorf("fewer output in vector than in circuit") -// } -// assignmentRaw = info.Output[outI] -// outI++ -// } -// if assignmentRaw != nil { -// var wireAssignment []fr.Element -// if wireAssignment, err = test_vector_utils.SliceToElementSlice(assignmentRaw); err != nil { -// return nil, err -// } - -// fullAssignment[w] = wireAssignment -// inOutAssignment[w] = wireAssignment -// } -// } - -// fullAssignment.Complete(circuit) - -// for _, w := range sorted { -// if w.IsOutput() { - -// if err = test_vector_utils.SliceEquals(inOutAssignment[w], fullAssignment[w]); err != nil { -// return nil, fmt.Errorf("assignment mismatch: %v", err) -// } - -// } -// } - -// tCase = &TestCase{ -// FullAssignment: fullAssignment, -// InOutAssignment: inOutAssignment, -// Proof: proof, -// Hash: _hash, -// Circuit: circuit, -// } - -// testCases[path] = tCase -// } else { -// return nil, err -// } -// } - -// return tCase, nil -// } - -// type _select int - -// func (g _select) Evaluate(in ...fr.Element) fr.Element { -// return in[g] -// } - -// func (g _select) Degree() int { -// return 1 -// } diff --git a/std/recursion/sumcheck/verifier.go b/std/recursion/sumcheck/verifier.go index 265af0f18f..565de6e1b5 100644 --- a/std/recursion/sumcheck/verifier.go +++ b/std/recursion/sumcheck/verifier.go @@ -240,7 +240,7 @@ func (v *Verifier[FR]) VerifyForGkr(claims LazyClaimsVar[FR], proof nonNativePro } } - gJ := make([]*emulated.Element[FR], maxDegree+1) //At the end of iteration j, gJ = ∑_{i < 2ⁿ⁻ʲ⁻¹} g(X₁, ..., Xⱼ₊₁, i...) NOTE: n is shorthand for claims.VarsNum() + gJ := make([]emulated.Element[FR], maxDegree+1) //At the end of iteration j, gJ = ∑_{i < 2ⁿ⁻ʲ⁻¹} g(X₁, ..., Xⱼ₊₁, i...) NOTE: n is shorthand for claims.VarsNum() // gJR is the claimed value. In case of multiple claims it is combined // claimed value we're going to check against. gJR := claims.CombinedSum(&combinationCoef) @@ -250,8 +250,9 @@ func (v *Verifier[FR]) VerifyForGkr(claims LazyClaimsVar[FR], proof nonNativePro if len(partialSumPoly) != claims.Degree(j) { return fmt.Errorf("malformed proof") //Malformed proof } - copy(polynomial.FromSliceReferences(gJ[1:]), partialSumPoly) - gJ[0] = v.f.Sub(gJR, &partialSumPoly[0]) // Requirement that gⱼ(0) + gⱼ(1) = gⱼ₋₁(r) + + copy(gJ[1:], partialSumPoly) + gJ[0] = *v.f.Sub(gJR, &partialSumPoly[0]) // Requirement that gⱼ(0) + gⱼ(1) = gⱼ₋₁(r) // gJ is ready //Prepare for the next iteration @@ -259,7 +260,7 @@ func (v *Verifier[FR]) VerifyForGkr(claims LazyClaimsVar[FR], proof nonNativePro return err } - gJR = v.p.InterpolateLDE(&r[j], gJ[:(claims.Degree(j)+1)]) + gJR = v.p.InterpolateLDE(&r[j], polynomial.FromSlice(gJ[:(claims.Degree(j)+1)])) } return claims.VerifyFinalEval(r, combinationCoef, *gJR, proof.FinalEvalProof) From 2b303423b0c7de4059dd424618f06068d4527bfe Mon Sep 17 00:00:00 2001 From: amit0365 Date: Thu, 13 Jun 2024 16:29:22 -0400 Subject: [PATCH 05/26] Revert "Debugged nil elements -m added verifier in claimsmaanager and popoulated it in verify -m using emulated.assertequal in verify -m removed unused frombits in element as @arya pointed -m" This reverts commit 6cbdc748032880216168b322a1bdf9d61167e58b. --- std/math/emulated/element.go | 23 +++ std/recursion/sumcheck/gkr_nonnative.go | 8 +- std/recursion/sumcheck/gkr_nonnative_test.go | 162 ++++++++++++++++++- std/recursion/sumcheck/verifier.go | 9 +- 4 files changed, 188 insertions(+), 14 deletions(-) diff --git a/std/math/emulated/element.go b/std/math/emulated/element.go index 6ad12d7942..f7ac0bb43d 100644 --- a/std/math/emulated/element.go +++ b/std/math/emulated/element.go @@ -6,6 +6,7 @@ import ( "github.com/consensys/gnark/frontend" "github.com/consensys/gnark/internal/utils" + "github.com/consensys/gnark/std/math/bits" ) // Element defines an element in the ring of integers modulo n. The integer @@ -105,4 +106,26 @@ func (e *Element[T]) copy() *Element[T] { r.overflow = e.overflow r.internal = e.internal return &r +} + +// newInternalElement sets the limbs and overflow. Given as a function for later +// possible refactor. +func newInternalElement[T FieldParams](limbs []frontend.Variable, overflow uint) *Element[T] { + return &Element[T]{Limbs: limbs, overflow: overflow, internal: true} +} + +// FromBits returns a new Element given the bits is little-endian order. +func FromBits[FR FieldParams](api frontend.API, bs ...frontend.Variable) *Element[FR] { + var fParams FR + nbLimbs := (uint(len(bs)) + fParams.BitsPerLimb() - 1) / fParams.BitsPerLimb() + limbs := make([]frontend.Variable, nbLimbs) + for i := uint(0); i < nbLimbs-1; i++ { + limbs[i] = bits.FromBinary(api, bs[i*fParams.BitsPerLimb():(i+1)*fParams.BitsPerLimb()]) + } + limbs[nbLimbs-1] = bits.FromBinary(api, bs[(nbLimbs-1)*fParams.BitsPerLimb():]) + return newInternalElement[FR](limbs, 0) +} + +func CreateConstElement[T FieldParams](v interface{}) *Element[T] { + return newConstElement[T](v) } \ No newline at end of file diff --git a/std/recursion/sumcheck/gkr_nonnative.go b/std/recursion/sumcheck/gkr_nonnative.go index 02dda334e2..d31c2f0f8e 100644 --- a/std/recursion/sumcheck/gkr_nonnative.go +++ b/std/recursion/sumcheck/gkr_nonnative.go @@ -219,7 +219,7 @@ type claimsManagerFr[FR emulated.FieldParams] struct { assignment WireAssignmentFr[FR] } -func newClaimsManagerFr[FR emulated.FieldParams](c CircuitFr[FR], assignment WireAssignmentFr[FR], verifier GKRVerifier[FR]) (claims claimsManagerFr[FR]) { +func newClaimsManagerFr[FR emulated.FieldParams](c CircuitFr[FR], assignment WireAssignmentFr[FR]) (claims claimsManagerFr[FR]) { claims.assignment = assignment claims.claimsMap = make(map[*WireFr[FR]]*eqTimesGateEvalSumcheckLazyClaimsFr[FR], len(c)) @@ -231,8 +231,6 @@ func newClaimsManagerFr[FR emulated.FieldParams](c CircuitFr[FR], assignment Wir evaluationPoints: make([][]emulated.Element[FR], 0, wire.NbClaims()), claimedEvaluations: make(polynomial.Multilinear[FR], wire.NbClaims()), manager: &claims, - verifier: &verifier, - } } return @@ -940,7 +938,7 @@ func (v *GKRVerifier[FR]) Verify(api frontend.API, c CircuitFr[FR], assignment W return err } - claims := newClaimsManagerFr(c, assignment, *v) + claims := newClaimsManagerFr(c, assignment) var firstChallenge []emulated.Element[FR] firstChallenge, err = v.getChallengesFr(o.transcript, getFirstChallengeNames(o.nbVars, o.transcriptPrefix)) if err != nil { @@ -980,7 +978,7 @@ func (v *GKRVerifier[FR]) Verify(api frontend.API, c CircuitFr[FR], assignment W return err } evaluation = *evaluationPtr - v.f.AssertIsEqual(&claim.claimedEvaluations[0], &evaluation) + api.AssertIsEqual(claim.claimedEvaluations[0], evaluation) } } else if err = sumcheck_verifier.VerifyForGkr( claim, proof[i], fiatshamir.WithTranscriptFr(o.transcript, wirePrefix+strconv.Itoa(i)+".", baseChallenge...), diff --git a/std/recursion/sumcheck/gkr_nonnative_test.go b/std/recursion/sumcheck/gkr_nonnative_test.go index 48d95c1900..64d4a9c78e 100644 --- a/std/recursion/sumcheck/gkr_nonnative_test.go +++ b/std/recursion/sumcheck/gkr_nonnative_test.go @@ -147,7 +147,7 @@ func (c *GkrVerifierCircuitFr) Define(api frontend.API) error { assignment := makeInOutAssignment(testCase.Circuit, c.Input, c.Output) // initiating hash in bitmode, remove and do it with hashdescription instead - hsh, err := recursion.NewHash(api, fr.Modulus(), true) + h, err := recursion.NewHash(api, fr.Modulus(), true) if err != nil { return err } @@ -160,7 +160,7 @@ func (c *GkrVerifierCircuitFr) Define(api frontend.API) error { // } // } - return v.Verify(api, testCase.Circuit, assignment, proof, fiatshamir.WithHashFr[FR](hsh)) + return v.Verify(api, testCase.Circuit, assignment, proof, fiatshamir.WithHashFr[FR](h)) } func makeInOutAssignment[FR emulated.FieldParams](c CircuitFr[FR], inputValues [][]emulated.Element[FR], outputValues [][]emulated.Element[FR]) WireAssignmentFr[FR] { @@ -416,9 +416,9 @@ func TestTopSortWide(t *testing.T) { func ToVariableFr[FR emulated.FieldParams](v interface{}) emulated.Element[FR] { switch vT := v.(type) { case float64: - return *new(emulated.Field[FR]).NewElement(int(vT)) + return *emulated.CreateConstElement[FR](int(vT)) default: - return *new(emulated.Field[FR]).NewElement(v) + return *emulated.CreateConstElement[FR](v) } } @@ -556,3 +556,157 @@ func (m MiMCCipherGate) Degree() int { return 7 } +// type PrintableProof []PrintableSumcheckProof + +// type PrintableSumcheckProof struct { +// FinalEvalProof interface{} `json:"finalEvalProof"` +// PartialSumPolys [][]interface{} `json:"partialSumPolys"` +// } + +// func unmarshalProof(printable PrintableProof) (Proof, error) { +// proof := make(Proof, len(printable)) +// for i := range printable { +// finalEvalProof := []fr.Element(nil) + +// if printable[i].FinalEvalProof != nil { +// finalEvalSlice := reflect.ValueOf(printable[i].FinalEvalProof) +// finalEvalProof = make([]fr.Element, finalEvalSlice.Len()) +// for k := range finalEvalProof { +// if _, err := test_vector_utils.SetElement(&finalEvalProof[k], finalEvalSlice.Index(k).Interface()); err != nil { +// return nil, err +// } +// } +// } + +// proof[i] = sumcheck.Proof{ +// PartialSumPolys: make([]polynomial.Polynomial, len(printable[i].PartialSumPolys)), +// FinalEvalProof: finalEvalProof, +// } +// for k := range printable[i].PartialSumPolys { +// var err error +// if proof[i].PartialSumPolys[k], err = test_vector_utils.SliceToElementSlice(printable[i].PartialSumPolys[k]); err != nil { +// return nil, err +// } +// } +// } +// return proof, nil +// } + +// type TestCase struct { +// Circuit Circuit +// Hash hash.Hash +// Proof Proof +// FullAssignment WireAssignment +// InOutAssignment WireAssignment +// } + +// type TestCaseInfo struct { +// Hash test_vector_utils.HashDescription `json:"hash"` +// Circuit string `json:"circuit"` +// Input [][]interface{} `json:"input"` +// Output [][]interface{} `json:"output"` +// Proof PrintableProof `json:"proof"` +// } + +// var testCases = make(map[string]*TestCase) + +// func newTestCase(path string) (*TestCase, error) { +// path, err := filepath.Abs(path) +// if err != nil { +// return nil, err +// } +// dir := filepath.Dir(path) + +// tCase, ok := testCases[path] +// if !ok { +// var bytes []byte +// if bytes, err = os.ReadFile(path); err == nil { +// var info TestCaseInfo +// err = json.Unmarshal(bytes, &info) +// if err != nil { +// return nil, err +// } + +// var circuit Circuit +// if circuit, err = getCircuit(filepath.Join(dir, info.Circuit)); err != nil { +// return nil, err +// } +// var _hash hash.Hash +// if _hash, err = test_vector_utils.HashFromDescription(info.Hash); err != nil { +// return nil, err +// } +// var proof Proof +// if proof, err = unmarshalProof(info.Proof); err != nil { +// return nil, err +// } + +// fullAssignment := make(WireAssignment) +// inOutAssignment := make(WireAssignment) + +// sorted := topologicalSort(circuit) + +// inI, outI := 0, 0 +// for _, w := range sorted { +// var assignmentRaw []interface{} +// if w.IsInput() { +// if inI == len(info.Input) { +// return nil, fmt.Errorf("fewer input in vector than in circuit") +// } +// assignmentRaw = info.Input[inI] +// inI++ +// } else if w.IsOutput() { +// if outI == len(info.Output) { +// return nil, fmt.Errorf("fewer output in vector than in circuit") +// } +// assignmentRaw = info.Output[outI] +// outI++ +// } +// if assignmentRaw != nil { +// var wireAssignment []fr.Element +// if wireAssignment, err = test_vector_utils.SliceToElementSlice(assignmentRaw); err != nil { +// return nil, err +// } + +// fullAssignment[w] = wireAssignment +// inOutAssignment[w] = wireAssignment +// } +// } + +// fullAssignment.Complete(circuit) + +// for _, w := range sorted { +// if w.IsOutput() { + +// if err = test_vector_utils.SliceEquals(inOutAssignment[w], fullAssignment[w]); err != nil { +// return nil, fmt.Errorf("assignment mismatch: %v", err) +// } + +// } +// } + +// tCase = &TestCase{ +// FullAssignment: fullAssignment, +// InOutAssignment: inOutAssignment, +// Proof: proof, +// Hash: _hash, +// Circuit: circuit, +// } + +// testCases[path] = tCase +// } else { +// return nil, err +// } +// } + +// return tCase, nil +// } + +// type _select int + +// func (g _select) Evaluate(in ...fr.Element) fr.Element { +// return in[g] +// } + +// func (g _select) Degree() int { +// return 1 +// } diff --git a/std/recursion/sumcheck/verifier.go b/std/recursion/sumcheck/verifier.go index 565de6e1b5..265af0f18f 100644 --- a/std/recursion/sumcheck/verifier.go +++ b/std/recursion/sumcheck/verifier.go @@ -240,7 +240,7 @@ func (v *Verifier[FR]) VerifyForGkr(claims LazyClaimsVar[FR], proof nonNativePro } } - gJ := make([]emulated.Element[FR], maxDegree+1) //At the end of iteration j, gJ = ∑_{i < 2ⁿ⁻ʲ⁻¹} g(X₁, ..., Xⱼ₊₁, i...) NOTE: n is shorthand for claims.VarsNum() + gJ := make([]*emulated.Element[FR], maxDegree+1) //At the end of iteration j, gJ = ∑_{i < 2ⁿ⁻ʲ⁻¹} g(X₁, ..., Xⱼ₊₁, i...) NOTE: n is shorthand for claims.VarsNum() // gJR is the claimed value. In case of multiple claims it is combined // claimed value we're going to check against. gJR := claims.CombinedSum(&combinationCoef) @@ -250,9 +250,8 @@ func (v *Verifier[FR]) VerifyForGkr(claims LazyClaimsVar[FR], proof nonNativePro if len(partialSumPoly) != claims.Degree(j) { return fmt.Errorf("malformed proof") //Malformed proof } - - copy(gJ[1:], partialSumPoly) - gJ[0] = *v.f.Sub(gJR, &partialSumPoly[0]) // Requirement that gⱼ(0) + gⱼ(1) = gⱼ₋₁(r) + copy(polynomial.FromSliceReferences(gJ[1:]), partialSumPoly) + gJ[0] = v.f.Sub(gJR, &partialSumPoly[0]) // Requirement that gⱼ(0) + gⱼ(1) = gⱼ₋₁(r) // gJ is ready //Prepare for the next iteration @@ -260,7 +259,7 @@ func (v *Verifier[FR]) VerifyForGkr(claims LazyClaimsVar[FR], proof nonNativePro return err } - gJR = v.p.InterpolateLDE(&r[j], polynomial.FromSlice(gJ[:(claims.Degree(j)+1)])) + gJR = v.p.InterpolateLDE(&r[j], gJ[:(claims.Degree(j)+1)]) } return claims.VerifyFinalEval(r, combinationCoef, *gJR, proof.FinalEvalProof) From ac3b04ee87b5b5b5ffde39bedcf81f99a124a798 Mon Sep 17 00:00:00 2001 From: amit0365 Date: Thu, 13 Jun 2024 16:33:19 -0400 Subject: [PATCH 06/26] git commit -m "Debugged nil elements" -m "Added verifier in ClaimsManager and populated it in verify" -m "Removed unused fromBits in Element" --- std/math/emulated/element.go | 23 --- std/recursion/sumcheck/gkr_nonnative.go | 8 +- std/recursion/sumcheck/gkr_nonnative_test.go | 162 +------------------ std/recursion/sumcheck/verifier.go | 9 +- 4 files changed, 14 insertions(+), 188 deletions(-) diff --git a/std/math/emulated/element.go b/std/math/emulated/element.go index f7ac0bb43d..6ad12d7942 100644 --- a/std/math/emulated/element.go +++ b/std/math/emulated/element.go @@ -6,7 +6,6 @@ import ( "github.com/consensys/gnark/frontend" "github.com/consensys/gnark/internal/utils" - "github.com/consensys/gnark/std/math/bits" ) // Element defines an element in the ring of integers modulo n. The integer @@ -106,26 +105,4 @@ func (e *Element[T]) copy() *Element[T] { r.overflow = e.overflow r.internal = e.internal return &r -} - -// newInternalElement sets the limbs and overflow. Given as a function for later -// possible refactor. -func newInternalElement[T FieldParams](limbs []frontend.Variable, overflow uint) *Element[T] { - return &Element[T]{Limbs: limbs, overflow: overflow, internal: true} -} - -// FromBits returns a new Element given the bits is little-endian order. -func FromBits[FR FieldParams](api frontend.API, bs ...frontend.Variable) *Element[FR] { - var fParams FR - nbLimbs := (uint(len(bs)) + fParams.BitsPerLimb() - 1) / fParams.BitsPerLimb() - limbs := make([]frontend.Variable, nbLimbs) - for i := uint(0); i < nbLimbs-1; i++ { - limbs[i] = bits.FromBinary(api, bs[i*fParams.BitsPerLimb():(i+1)*fParams.BitsPerLimb()]) - } - limbs[nbLimbs-1] = bits.FromBinary(api, bs[(nbLimbs-1)*fParams.BitsPerLimb():]) - return newInternalElement[FR](limbs, 0) -} - -func CreateConstElement[T FieldParams](v interface{}) *Element[T] { - return newConstElement[T](v) } \ No newline at end of file diff --git a/std/recursion/sumcheck/gkr_nonnative.go b/std/recursion/sumcheck/gkr_nonnative.go index d31c2f0f8e..02dda334e2 100644 --- a/std/recursion/sumcheck/gkr_nonnative.go +++ b/std/recursion/sumcheck/gkr_nonnative.go @@ -219,7 +219,7 @@ type claimsManagerFr[FR emulated.FieldParams] struct { assignment WireAssignmentFr[FR] } -func newClaimsManagerFr[FR emulated.FieldParams](c CircuitFr[FR], assignment WireAssignmentFr[FR]) (claims claimsManagerFr[FR]) { +func newClaimsManagerFr[FR emulated.FieldParams](c CircuitFr[FR], assignment WireAssignmentFr[FR], verifier GKRVerifier[FR]) (claims claimsManagerFr[FR]) { claims.assignment = assignment claims.claimsMap = make(map[*WireFr[FR]]*eqTimesGateEvalSumcheckLazyClaimsFr[FR], len(c)) @@ -231,6 +231,8 @@ func newClaimsManagerFr[FR emulated.FieldParams](c CircuitFr[FR], assignment Wir evaluationPoints: make([][]emulated.Element[FR], 0, wire.NbClaims()), claimedEvaluations: make(polynomial.Multilinear[FR], wire.NbClaims()), manager: &claims, + verifier: &verifier, + } } return @@ -938,7 +940,7 @@ func (v *GKRVerifier[FR]) Verify(api frontend.API, c CircuitFr[FR], assignment W return err } - claims := newClaimsManagerFr(c, assignment) + claims := newClaimsManagerFr(c, assignment, *v) var firstChallenge []emulated.Element[FR] firstChallenge, err = v.getChallengesFr(o.transcript, getFirstChallengeNames(o.nbVars, o.transcriptPrefix)) if err != nil { @@ -978,7 +980,7 @@ func (v *GKRVerifier[FR]) Verify(api frontend.API, c CircuitFr[FR], assignment W return err } evaluation = *evaluationPtr - api.AssertIsEqual(claim.claimedEvaluations[0], evaluation) + v.f.AssertIsEqual(&claim.claimedEvaluations[0], &evaluation) } } else if err = sumcheck_verifier.VerifyForGkr( claim, proof[i], fiatshamir.WithTranscriptFr(o.transcript, wirePrefix+strconv.Itoa(i)+".", baseChallenge...), diff --git a/std/recursion/sumcheck/gkr_nonnative_test.go b/std/recursion/sumcheck/gkr_nonnative_test.go index 64d4a9c78e..48d95c1900 100644 --- a/std/recursion/sumcheck/gkr_nonnative_test.go +++ b/std/recursion/sumcheck/gkr_nonnative_test.go @@ -147,7 +147,7 @@ func (c *GkrVerifierCircuitFr) Define(api frontend.API) error { assignment := makeInOutAssignment(testCase.Circuit, c.Input, c.Output) // initiating hash in bitmode, remove and do it with hashdescription instead - h, err := recursion.NewHash(api, fr.Modulus(), true) + hsh, err := recursion.NewHash(api, fr.Modulus(), true) if err != nil { return err } @@ -160,7 +160,7 @@ func (c *GkrVerifierCircuitFr) Define(api frontend.API) error { // } // } - return v.Verify(api, testCase.Circuit, assignment, proof, fiatshamir.WithHashFr[FR](h)) + return v.Verify(api, testCase.Circuit, assignment, proof, fiatshamir.WithHashFr[FR](hsh)) } func makeInOutAssignment[FR emulated.FieldParams](c CircuitFr[FR], inputValues [][]emulated.Element[FR], outputValues [][]emulated.Element[FR]) WireAssignmentFr[FR] { @@ -416,9 +416,9 @@ func TestTopSortWide(t *testing.T) { func ToVariableFr[FR emulated.FieldParams](v interface{}) emulated.Element[FR] { switch vT := v.(type) { case float64: - return *emulated.CreateConstElement[FR](int(vT)) + return *new(emulated.Field[FR]).NewElement(int(vT)) default: - return *emulated.CreateConstElement[FR](v) + return *new(emulated.Field[FR]).NewElement(v) } } @@ -556,157 +556,3 @@ func (m MiMCCipherGate) Degree() int { return 7 } -// type PrintableProof []PrintableSumcheckProof - -// type PrintableSumcheckProof struct { -// FinalEvalProof interface{} `json:"finalEvalProof"` -// PartialSumPolys [][]interface{} `json:"partialSumPolys"` -// } - -// func unmarshalProof(printable PrintableProof) (Proof, error) { -// proof := make(Proof, len(printable)) -// for i := range printable { -// finalEvalProof := []fr.Element(nil) - -// if printable[i].FinalEvalProof != nil { -// finalEvalSlice := reflect.ValueOf(printable[i].FinalEvalProof) -// finalEvalProof = make([]fr.Element, finalEvalSlice.Len()) -// for k := range finalEvalProof { -// if _, err := test_vector_utils.SetElement(&finalEvalProof[k], finalEvalSlice.Index(k).Interface()); err != nil { -// return nil, err -// } -// } -// } - -// proof[i] = sumcheck.Proof{ -// PartialSumPolys: make([]polynomial.Polynomial, len(printable[i].PartialSumPolys)), -// FinalEvalProof: finalEvalProof, -// } -// for k := range printable[i].PartialSumPolys { -// var err error -// if proof[i].PartialSumPolys[k], err = test_vector_utils.SliceToElementSlice(printable[i].PartialSumPolys[k]); err != nil { -// return nil, err -// } -// } -// } -// return proof, nil -// } - -// type TestCase struct { -// Circuit Circuit -// Hash hash.Hash -// Proof Proof -// FullAssignment WireAssignment -// InOutAssignment WireAssignment -// } - -// type TestCaseInfo struct { -// Hash test_vector_utils.HashDescription `json:"hash"` -// Circuit string `json:"circuit"` -// Input [][]interface{} `json:"input"` -// Output [][]interface{} `json:"output"` -// Proof PrintableProof `json:"proof"` -// } - -// var testCases = make(map[string]*TestCase) - -// func newTestCase(path string) (*TestCase, error) { -// path, err := filepath.Abs(path) -// if err != nil { -// return nil, err -// } -// dir := filepath.Dir(path) - -// tCase, ok := testCases[path] -// if !ok { -// var bytes []byte -// if bytes, err = os.ReadFile(path); err == nil { -// var info TestCaseInfo -// err = json.Unmarshal(bytes, &info) -// if err != nil { -// return nil, err -// } - -// var circuit Circuit -// if circuit, err = getCircuit(filepath.Join(dir, info.Circuit)); err != nil { -// return nil, err -// } -// var _hash hash.Hash -// if _hash, err = test_vector_utils.HashFromDescription(info.Hash); err != nil { -// return nil, err -// } -// var proof Proof -// if proof, err = unmarshalProof(info.Proof); err != nil { -// return nil, err -// } - -// fullAssignment := make(WireAssignment) -// inOutAssignment := make(WireAssignment) - -// sorted := topologicalSort(circuit) - -// inI, outI := 0, 0 -// for _, w := range sorted { -// var assignmentRaw []interface{} -// if w.IsInput() { -// if inI == len(info.Input) { -// return nil, fmt.Errorf("fewer input in vector than in circuit") -// } -// assignmentRaw = info.Input[inI] -// inI++ -// } else if w.IsOutput() { -// if outI == len(info.Output) { -// return nil, fmt.Errorf("fewer output in vector than in circuit") -// } -// assignmentRaw = info.Output[outI] -// outI++ -// } -// if assignmentRaw != nil { -// var wireAssignment []fr.Element -// if wireAssignment, err = test_vector_utils.SliceToElementSlice(assignmentRaw); err != nil { -// return nil, err -// } - -// fullAssignment[w] = wireAssignment -// inOutAssignment[w] = wireAssignment -// } -// } - -// fullAssignment.Complete(circuit) - -// for _, w := range sorted { -// if w.IsOutput() { - -// if err = test_vector_utils.SliceEquals(inOutAssignment[w], fullAssignment[w]); err != nil { -// return nil, fmt.Errorf("assignment mismatch: %v", err) -// } - -// } -// } - -// tCase = &TestCase{ -// FullAssignment: fullAssignment, -// InOutAssignment: inOutAssignment, -// Proof: proof, -// Hash: _hash, -// Circuit: circuit, -// } - -// testCases[path] = tCase -// } else { -// return nil, err -// } -// } - -// return tCase, nil -// } - -// type _select int - -// func (g _select) Evaluate(in ...fr.Element) fr.Element { -// return in[g] -// } - -// func (g _select) Degree() int { -// return 1 -// } diff --git a/std/recursion/sumcheck/verifier.go b/std/recursion/sumcheck/verifier.go index 265af0f18f..565de6e1b5 100644 --- a/std/recursion/sumcheck/verifier.go +++ b/std/recursion/sumcheck/verifier.go @@ -240,7 +240,7 @@ func (v *Verifier[FR]) VerifyForGkr(claims LazyClaimsVar[FR], proof nonNativePro } } - gJ := make([]*emulated.Element[FR], maxDegree+1) //At the end of iteration j, gJ = ∑_{i < 2ⁿ⁻ʲ⁻¹} g(X₁, ..., Xⱼ₊₁, i...) NOTE: n is shorthand for claims.VarsNum() + gJ := make([]emulated.Element[FR], maxDegree+1) //At the end of iteration j, gJ = ∑_{i < 2ⁿ⁻ʲ⁻¹} g(X₁, ..., Xⱼ₊₁, i...) NOTE: n is shorthand for claims.VarsNum() // gJR is the claimed value. In case of multiple claims it is combined // claimed value we're going to check against. gJR := claims.CombinedSum(&combinationCoef) @@ -250,8 +250,9 @@ func (v *Verifier[FR]) VerifyForGkr(claims LazyClaimsVar[FR], proof nonNativePro if len(partialSumPoly) != claims.Degree(j) { return fmt.Errorf("malformed proof") //Malformed proof } - copy(polynomial.FromSliceReferences(gJ[1:]), partialSumPoly) - gJ[0] = v.f.Sub(gJR, &partialSumPoly[0]) // Requirement that gⱼ(0) + gⱼ(1) = gⱼ₋₁(r) + + copy(gJ[1:], partialSumPoly) + gJ[0] = *v.f.Sub(gJR, &partialSumPoly[0]) // Requirement that gⱼ(0) + gⱼ(1) = gⱼ₋₁(r) // gJ is ready //Prepare for the next iteration @@ -259,7 +260,7 @@ func (v *Verifier[FR]) VerifyForGkr(claims LazyClaimsVar[FR], proof nonNativePro return err } - gJR = v.p.InterpolateLDE(&r[j], gJ[:(claims.Degree(j)+1)]) + gJR = v.p.InterpolateLDE(&r[j], polynomial.FromSlice(gJ[:(claims.Degree(j)+1)])) } return claims.VerifyFinalEval(r, combinationCoef, *gJR, proof.FinalEvalProof) From 59c8554745006ffda3fff5f1468d0a5066b81b57 Mon Sep 17 00:00:00 2001 From: amit0365 Date: Thu, 13 Jun 2024 16:37:28 -0400 Subject: [PATCH 07/26] Debugged nil elements Added verifier in ClaimsManager and populated it in verify Using emulated.Assertequal in verify Removed unused fromBits in Element --- std/math/emulated/element.go | 23 +++ std/recursion/sumcheck/gkr_nonnative.go | 8 +- std/recursion/sumcheck/gkr_nonnative_test.go | 162 ++++++++++++++++++- std/recursion/sumcheck/verifier.go | 9 +- 4 files changed, 188 insertions(+), 14 deletions(-) diff --git a/std/math/emulated/element.go b/std/math/emulated/element.go index 6ad12d7942..f7ac0bb43d 100644 --- a/std/math/emulated/element.go +++ b/std/math/emulated/element.go @@ -6,6 +6,7 @@ import ( "github.com/consensys/gnark/frontend" "github.com/consensys/gnark/internal/utils" + "github.com/consensys/gnark/std/math/bits" ) // Element defines an element in the ring of integers modulo n. The integer @@ -105,4 +106,26 @@ func (e *Element[T]) copy() *Element[T] { r.overflow = e.overflow r.internal = e.internal return &r +} + +// newInternalElement sets the limbs and overflow. Given as a function for later +// possible refactor. +func newInternalElement[T FieldParams](limbs []frontend.Variable, overflow uint) *Element[T] { + return &Element[T]{Limbs: limbs, overflow: overflow, internal: true} +} + +// FromBits returns a new Element given the bits is little-endian order. +func FromBits[FR FieldParams](api frontend.API, bs ...frontend.Variable) *Element[FR] { + var fParams FR + nbLimbs := (uint(len(bs)) + fParams.BitsPerLimb() - 1) / fParams.BitsPerLimb() + limbs := make([]frontend.Variable, nbLimbs) + for i := uint(0); i < nbLimbs-1; i++ { + limbs[i] = bits.FromBinary(api, bs[i*fParams.BitsPerLimb():(i+1)*fParams.BitsPerLimb()]) + } + limbs[nbLimbs-1] = bits.FromBinary(api, bs[(nbLimbs-1)*fParams.BitsPerLimb():]) + return newInternalElement[FR](limbs, 0) +} + +func CreateConstElement[T FieldParams](v interface{}) *Element[T] { + return newConstElement[T](v) } \ No newline at end of file diff --git a/std/recursion/sumcheck/gkr_nonnative.go b/std/recursion/sumcheck/gkr_nonnative.go index 02dda334e2..d31c2f0f8e 100644 --- a/std/recursion/sumcheck/gkr_nonnative.go +++ b/std/recursion/sumcheck/gkr_nonnative.go @@ -219,7 +219,7 @@ type claimsManagerFr[FR emulated.FieldParams] struct { assignment WireAssignmentFr[FR] } -func newClaimsManagerFr[FR emulated.FieldParams](c CircuitFr[FR], assignment WireAssignmentFr[FR], verifier GKRVerifier[FR]) (claims claimsManagerFr[FR]) { +func newClaimsManagerFr[FR emulated.FieldParams](c CircuitFr[FR], assignment WireAssignmentFr[FR]) (claims claimsManagerFr[FR]) { claims.assignment = assignment claims.claimsMap = make(map[*WireFr[FR]]*eqTimesGateEvalSumcheckLazyClaimsFr[FR], len(c)) @@ -231,8 +231,6 @@ func newClaimsManagerFr[FR emulated.FieldParams](c CircuitFr[FR], assignment Wir evaluationPoints: make([][]emulated.Element[FR], 0, wire.NbClaims()), claimedEvaluations: make(polynomial.Multilinear[FR], wire.NbClaims()), manager: &claims, - verifier: &verifier, - } } return @@ -940,7 +938,7 @@ func (v *GKRVerifier[FR]) Verify(api frontend.API, c CircuitFr[FR], assignment W return err } - claims := newClaimsManagerFr(c, assignment, *v) + claims := newClaimsManagerFr(c, assignment) var firstChallenge []emulated.Element[FR] firstChallenge, err = v.getChallengesFr(o.transcript, getFirstChallengeNames(o.nbVars, o.transcriptPrefix)) if err != nil { @@ -980,7 +978,7 @@ func (v *GKRVerifier[FR]) Verify(api frontend.API, c CircuitFr[FR], assignment W return err } evaluation = *evaluationPtr - v.f.AssertIsEqual(&claim.claimedEvaluations[0], &evaluation) + api.AssertIsEqual(claim.claimedEvaluations[0], evaluation) } } else if err = sumcheck_verifier.VerifyForGkr( claim, proof[i], fiatshamir.WithTranscriptFr(o.transcript, wirePrefix+strconv.Itoa(i)+".", baseChallenge...), diff --git a/std/recursion/sumcheck/gkr_nonnative_test.go b/std/recursion/sumcheck/gkr_nonnative_test.go index 48d95c1900..64d4a9c78e 100644 --- a/std/recursion/sumcheck/gkr_nonnative_test.go +++ b/std/recursion/sumcheck/gkr_nonnative_test.go @@ -147,7 +147,7 @@ func (c *GkrVerifierCircuitFr) Define(api frontend.API) error { assignment := makeInOutAssignment(testCase.Circuit, c.Input, c.Output) // initiating hash in bitmode, remove and do it with hashdescription instead - hsh, err := recursion.NewHash(api, fr.Modulus(), true) + h, err := recursion.NewHash(api, fr.Modulus(), true) if err != nil { return err } @@ -160,7 +160,7 @@ func (c *GkrVerifierCircuitFr) Define(api frontend.API) error { // } // } - return v.Verify(api, testCase.Circuit, assignment, proof, fiatshamir.WithHashFr[FR](hsh)) + return v.Verify(api, testCase.Circuit, assignment, proof, fiatshamir.WithHashFr[FR](h)) } func makeInOutAssignment[FR emulated.FieldParams](c CircuitFr[FR], inputValues [][]emulated.Element[FR], outputValues [][]emulated.Element[FR]) WireAssignmentFr[FR] { @@ -416,9 +416,9 @@ func TestTopSortWide(t *testing.T) { func ToVariableFr[FR emulated.FieldParams](v interface{}) emulated.Element[FR] { switch vT := v.(type) { case float64: - return *new(emulated.Field[FR]).NewElement(int(vT)) + return *emulated.CreateConstElement[FR](int(vT)) default: - return *new(emulated.Field[FR]).NewElement(v) + return *emulated.CreateConstElement[FR](v) } } @@ -556,3 +556,157 @@ func (m MiMCCipherGate) Degree() int { return 7 } +// type PrintableProof []PrintableSumcheckProof + +// type PrintableSumcheckProof struct { +// FinalEvalProof interface{} `json:"finalEvalProof"` +// PartialSumPolys [][]interface{} `json:"partialSumPolys"` +// } + +// func unmarshalProof(printable PrintableProof) (Proof, error) { +// proof := make(Proof, len(printable)) +// for i := range printable { +// finalEvalProof := []fr.Element(nil) + +// if printable[i].FinalEvalProof != nil { +// finalEvalSlice := reflect.ValueOf(printable[i].FinalEvalProof) +// finalEvalProof = make([]fr.Element, finalEvalSlice.Len()) +// for k := range finalEvalProof { +// if _, err := test_vector_utils.SetElement(&finalEvalProof[k], finalEvalSlice.Index(k).Interface()); err != nil { +// return nil, err +// } +// } +// } + +// proof[i] = sumcheck.Proof{ +// PartialSumPolys: make([]polynomial.Polynomial, len(printable[i].PartialSumPolys)), +// FinalEvalProof: finalEvalProof, +// } +// for k := range printable[i].PartialSumPolys { +// var err error +// if proof[i].PartialSumPolys[k], err = test_vector_utils.SliceToElementSlice(printable[i].PartialSumPolys[k]); err != nil { +// return nil, err +// } +// } +// } +// return proof, nil +// } + +// type TestCase struct { +// Circuit Circuit +// Hash hash.Hash +// Proof Proof +// FullAssignment WireAssignment +// InOutAssignment WireAssignment +// } + +// type TestCaseInfo struct { +// Hash test_vector_utils.HashDescription `json:"hash"` +// Circuit string `json:"circuit"` +// Input [][]interface{} `json:"input"` +// Output [][]interface{} `json:"output"` +// Proof PrintableProof `json:"proof"` +// } + +// var testCases = make(map[string]*TestCase) + +// func newTestCase(path string) (*TestCase, error) { +// path, err := filepath.Abs(path) +// if err != nil { +// return nil, err +// } +// dir := filepath.Dir(path) + +// tCase, ok := testCases[path] +// if !ok { +// var bytes []byte +// if bytes, err = os.ReadFile(path); err == nil { +// var info TestCaseInfo +// err = json.Unmarshal(bytes, &info) +// if err != nil { +// return nil, err +// } + +// var circuit Circuit +// if circuit, err = getCircuit(filepath.Join(dir, info.Circuit)); err != nil { +// return nil, err +// } +// var _hash hash.Hash +// if _hash, err = test_vector_utils.HashFromDescription(info.Hash); err != nil { +// return nil, err +// } +// var proof Proof +// if proof, err = unmarshalProof(info.Proof); err != nil { +// return nil, err +// } + +// fullAssignment := make(WireAssignment) +// inOutAssignment := make(WireAssignment) + +// sorted := topologicalSort(circuit) + +// inI, outI := 0, 0 +// for _, w := range sorted { +// var assignmentRaw []interface{} +// if w.IsInput() { +// if inI == len(info.Input) { +// return nil, fmt.Errorf("fewer input in vector than in circuit") +// } +// assignmentRaw = info.Input[inI] +// inI++ +// } else if w.IsOutput() { +// if outI == len(info.Output) { +// return nil, fmt.Errorf("fewer output in vector than in circuit") +// } +// assignmentRaw = info.Output[outI] +// outI++ +// } +// if assignmentRaw != nil { +// var wireAssignment []fr.Element +// if wireAssignment, err = test_vector_utils.SliceToElementSlice(assignmentRaw); err != nil { +// return nil, err +// } + +// fullAssignment[w] = wireAssignment +// inOutAssignment[w] = wireAssignment +// } +// } + +// fullAssignment.Complete(circuit) + +// for _, w := range sorted { +// if w.IsOutput() { + +// if err = test_vector_utils.SliceEquals(inOutAssignment[w], fullAssignment[w]); err != nil { +// return nil, fmt.Errorf("assignment mismatch: %v", err) +// } + +// } +// } + +// tCase = &TestCase{ +// FullAssignment: fullAssignment, +// InOutAssignment: inOutAssignment, +// Proof: proof, +// Hash: _hash, +// Circuit: circuit, +// } + +// testCases[path] = tCase +// } else { +// return nil, err +// } +// } + +// return tCase, nil +// } + +// type _select int + +// func (g _select) Evaluate(in ...fr.Element) fr.Element { +// return in[g] +// } + +// func (g _select) Degree() int { +// return 1 +// } diff --git a/std/recursion/sumcheck/verifier.go b/std/recursion/sumcheck/verifier.go index 565de6e1b5..265af0f18f 100644 --- a/std/recursion/sumcheck/verifier.go +++ b/std/recursion/sumcheck/verifier.go @@ -240,7 +240,7 @@ func (v *Verifier[FR]) VerifyForGkr(claims LazyClaimsVar[FR], proof nonNativePro } } - gJ := make([]emulated.Element[FR], maxDegree+1) //At the end of iteration j, gJ = ∑_{i < 2ⁿ⁻ʲ⁻¹} g(X₁, ..., Xⱼ₊₁, i...) NOTE: n is shorthand for claims.VarsNum() + gJ := make([]*emulated.Element[FR], maxDegree+1) //At the end of iteration j, gJ = ∑_{i < 2ⁿ⁻ʲ⁻¹} g(X₁, ..., Xⱼ₊₁, i...) NOTE: n is shorthand for claims.VarsNum() // gJR is the claimed value. In case of multiple claims it is combined // claimed value we're going to check against. gJR := claims.CombinedSum(&combinationCoef) @@ -250,9 +250,8 @@ func (v *Verifier[FR]) VerifyForGkr(claims LazyClaimsVar[FR], proof nonNativePro if len(partialSumPoly) != claims.Degree(j) { return fmt.Errorf("malformed proof") //Malformed proof } - - copy(gJ[1:], partialSumPoly) - gJ[0] = *v.f.Sub(gJR, &partialSumPoly[0]) // Requirement that gⱼ(0) + gⱼ(1) = gⱼ₋₁(r) + copy(polynomial.FromSliceReferences(gJ[1:]), partialSumPoly) + gJ[0] = v.f.Sub(gJR, &partialSumPoly[0]) // Requirement that gⱼ(0) + gⱼ(1) = gⱼ₋₁(r) // gJ is ready //Prepare for the next iteration @@ -260,7 +259,7 @@ func (v *Verifier[FR]) VerifyForGkr(claims LazyClaimsVar[FR], proof nonNativePro return err } - gJR = v.p.InterpolateLDE(&r[j], polynomial.FromSlice(gJ[:(claims.Degree(j)+1)])) + gJR = v.p.InterpolateLDE(&r[j], gJ[:(claims.Degree(j)+1)]) } return claims.VerifyFinalEval(r, combinationCoef, *gJR, proof.FinalEvalProof) From 650d48a2d4a72894649626a6ecc021db3d71e7db Mon Sep 17 00:00:00 2001 From: amit0365 Date: Thu, 13 Jun 2024 16:39:04 -0400 Subject: [PATCH 08/26] removed unused fns --- std/math/emulated/element.go | 22 ---------------------- 1 file changed, 22 deletions(-) diff --git a/std/math/emulated/element.go b/std/math/emulated/element.go index f7ac0bb43d..b44a6692a5 100644 --- a/std/math/emulated/element.go +++ b/std/math/emulated/element.go @@ -106,26 +106,4 @@ func (e *Element[T]) copy() *Element[T] { r.overflow = e.overflow r.internal = e.internal return &r -} - -// newInternalElement sets the limbs and overflow. Given as a function for later -// possible refactor. -func newInternalElement[T FieldParams](limbs []frontend.Variable, overflow uint) *Element[T] { - return &Element[T]{Limbs: limbs, overflow: overflow, internal: true} -} - -// FromBits returns a new Element given the bits is little-endian order. -func FromBits[FR FieldParams](api frontend.API, bs ...frontend.Variable) *Element[FR] { - var fParams FR - nbLimbs := (uint(len(bs)) + fParams.BitsPerLimb() - 1) / fParams.BitsPerLimb() - limbs := make([]frontend.Variable, nbLimbs) - for i := uint(0); i < nbLimbs-1; i++ { - limbs[i] = bits.FromBinary(api, bs[i*fParams.BitsPerLimb():(i+1)*fParams.BitsPerLimb()]) - } - limbs[nbLimbs-1] = bits.FromBinary(api, bs[(nbLimbs-1)*fParams.BitsPerLimb():]) - return newInternalElement[FR](limbs, 0) -} - -func CreateConstElement[T FieldParams](v interface{}) *Element[T] { - return newConstElement[T](v) } \ No newline at end of file From 4717901a923b4ea7e4302360adc2f2e13764dfc9 Mon Sep 17 00:00:00 2001 From: amit0365 Date: Thu, 13 Jun 2024 16:41:27 -0400 Subject: [PATCH 09/26] compiles now --- std/recursion/sumcheck/gkr_nonnative_test.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/std/recursion/sumcheck/gkr_nonnative_test.go b/std/recursion/sumcheck/gkr_nonnative_test.go index 64d4a9c78e..5633e5b2fd 100644 --- a/std/recursion/sumcheck/gkr_nonnative_test.go +++ b/std/recursion/sumcheck/gkr_nonnative_test.go @@ -416,9 +416,9 @@ func TestTopSortWide(t *testing.T) { func ToVariableFr[FR emulated.FieldParams](v interface{}) emulated.Element[FR] { switch vT := v.(type) { case float64: - return *emulated.CreateConstElement[FR](int(vT)) + return *new(emulated.Field[FR]).NewElement(int(vT)) default: - return *emulated.CreateConstElement[FR](v) + return *new(emulated.Field[FR]).NewElement(v) } } From 04b5caf9a24acefe53f73e4dc32e8e9d5a4fcfd5 Mon Sep 17 00:00:00 2001 From: amit0365 Date: Thu, 13 Jun 2024 16:49:48 -0400 Subject: [PATCH 10/26] fixed --- std/math/emulated/element.go | 1 - std/math/emulated/field.go | 2 +- std/recursion/sumcheck/gkr_nonnative.go | 7 ++++--- std/recursion/sumcheck/verifier.go | 8 ++++---- 4 files changed, 9 insertions(+), 9 deletions(-) diff --git a/std/math/emulated/element.go b/std/math/emulated/element.go index b44a6692a5..6ad12d7942 100644 --- a/std/math/emulated/element.go +++ b/std/math/emulated/element.go @@ -6,7 +6,6 @@ import ( "github.com/consensys/gnark/frontend" "github.com/consensys/gnark/internal/utils" - "github.com/consensys/gnark/std/math/bits" ) // Element defines an element in the ring of integers modulo n. The integer diff --git a/std/math/emulated/field.go b/std/math/emulated/field.go index 6c1f19b04d..38e6427b1d 100644 --- a/std/math/emulated/field.go +++ b/std/math/emulated/field.go @@ -101,7 +101,7 @@ func NewField[T FieldParams](native frontend.API) (*Field[T], error) { if uint(f.api.Compiler().FieldBitLen()) < 2*f.fParams.BitsPerLimb()+1 { return nil, fmt.Errorf("elements with limb length %d does not fit into scalar field", f.fParams.BitsPerLimb()) } - + println("NewField mulcheck") native.Compiler().Defer(f.performMulChecks) if storer, ok := native.(kvstore.Store); ok { storer.SetKeyValue(ctxKey[T]{}, f) diff --git a/std/recursion/sumcheck/gkr_nonnative.go b/std/recursion/sumcheck/gkr_nonnative.go index d31c2f0f8e..481327abeb 100644 --- a/std/recursion/sumcheck/gkr_nonnative.go +++ b/std/recursion/sumcheck/gkr_nonnative.go @@ -219,7 +219,7 @@ type claimsManagerFr[FR emulated.FieldParams] struct { assignment WireAssignmentFr[FR] } -func newClaimsManagerFr[FR emulated.FieldParams](c CircuitFr[FR], assignment WireAssignmentFr[FR]) (claims claimsManagerFr[FR]) { +func newClaimsManagerFr[FR emulated.FieldParams](c CircuitFr[FR], assignment WireAssignmentFr[FR], verifier GKRVerifier[FR]) (claims claimsManagerFr[FR]) { claims.assignment = assignment claims.claimsMap = make(map[*WireFr[FR]]*eqTimesGateEvalSumcheckLazyClaimsFr[FR], len(c)) @@ -231,6 +231,7 @@ func newClaimsManagerFr[FR emulated.FieldParams](c CircuitFr[FR], assignment Wir evaluationPoints: make([][]emulated.Element[FR], 0, wire.NbClaims()), claimedEvaluations: make(polynomial.Multilinear[FR], wire.NbClaims()), manager: &claims, + verifier: &verifier, } } return @@ -938,7 +939,7 @@ func (v *GKRVerifier[FR]) Verify(api frontend.API, c CircuitFr[FR], assignment W return err } - claims := newClaimsManagerFr(c, assignment) + claims := newClaimsManagerFr(c, assignment, *v) var firstChallenge []emulated.Element[FR] firstChallenge, err = v.getChallengesFr(o.transcript, getFirstChallengeNames(o.nbVars, o.transcriptPrefix)) if err != nil { @@ -978,7 +979,7 @@ func (v *GKRVerifier[FR]) Verify(api frontend.API, c CircuitFr[FR], assignment W return err } evaluation = *evaluationPtr - api.AssertIsEqual(claim.claimedEvaluations[0], evaluation) + v.f.AssertIsEqual(&claim.claimedEvaluations[0], &evaluation) } } else if err = sumcheck_verifier.VerifyForGkr( claim, proof[i], fiatshamir.WithTranscriptFr(o.transcript, wirePrefix+strconv.Itoa(i)+".", baseChallenge...), diff --git a/std/recursion/sumcheck/verifier.go b/std/recursion/sumcheck/verifier.go index 265af0f18f..95732a90aa 100644 --- a/std/recursion/sumcheck/verifier.go +++ b/std/recursion/sumcheck/verifier.go @@ -240,7 +240,7 @@ func (v *Verifier[FR]) VerifyForGkr(claims LazyClaimsVar[FR], proof nonNativePro } } - gJ := make([]*emulated.Element[FR], maxDegree+1) //At the end of iteration j, gJ = ∑_{i < 2ⁿ⁻ʲ⁻¹} g(X₁, ..., Xⱼ₊₁, i...) NOTE: n is shorthand for claims.VarsNum() + gJ := make([]emulated.Element[FR], maxDegree+1) //At the end of iteration j, gJ = ∑_{i < 2ⁿ⁻ʲ⁻¹} g(X₁, ..., Xⱼ₊₁, i...) NOTE: n is shorthand for claims.VarsNum() // gJR is the claimed value. In case of multiple claims it is combined // claimed value we're going to check against. gJR := claims.CombinedSum(&combinationCoef) @@ -250,8 +250,8 @@ func (v *Verifier[FR]) VerifyForGkr(claims LazyClaimsVar[FR], proof nonNativePro if len(partialSumPoly) != claims.Degree(j) { return fmt.Errorf("malformed proof") //Malformed proof } - copy(polynomial.FromSliceReferences(gJ[1:]), partialSumPoly) - gJ[0] = v.f.Sub(gJR, &partialSumPoly[0]) // Requirement that gⱼ(0) + gⱼ(1) = gⱼ₋₁(r) + copy(gJ[1:], partialSumPoly) + gJ[0] = *v.f.Sub(gJR, &partialSumPoly[0]) // Requirement that gⱼ(0) + gⱼ(1) = gⱼ₋₁(r) // gJ is ready //Prepare for the next iteration @@ -259,7 +259,7 @@ func (v *Verifier[FR]) VerifyForGkr(claims LazyClaimsVar[FR], proof nonNativePro return err } - gJR = v.p.InterpolateLDE(&r[j], gJ[:(claims.Degree(j)+1)]) + gJR = v.p.InterpolateLDE(&r[j], polynomial.FromSlice(gJ[:(claims.Degree(j)+1)])) } return claims.VerifyFinalEval(r, combinationCoef, *gJR, proof.FinalEvalProof) From 9a6f78ca41e2cf8f7c4a0dfc0fc136be06475b69 Mon Sep 17 00:00:00 2001 From: TheDarkMatters Date: Mon, 17 Jun 2024 17:50:07 -0400 Subject: [PATCH 11/26] resolve ivo comments - prover done --- std/gkr/gkr_test.go | 11 - std/math/emulated/field.go | 2 +- std/math/emulated/field_mul.go | 10 - std/math/polynomial/polynomial.go | 12 - .../{sumcheck => gkr}/gkr_nonnative.go | 405 ++++++++---------- .../{sumcheck => gkr}/gkr_nonnative_test.go | 21 +- .../mimc_five_levels_two_instances._json | 7 + .../resources/mimc_five_levels.json | 36 ++ .../resources/single_identity_gate.json | 10 + .../single_input_two_identity_gates.json | 14 + .../resources/single_input_two_outs.json | 14 + .../resources/single_mimc_gate.json | 7 + .../resources/single_mul_gate.json | 14 + ..._identity_gates_composed_single_input.json | 14 + .../two_inputs_select-input-3_gate.json | 14 + .../single_identity_gate_two_instances.json | 36 ++ ...nput_two_identity_gates_two_instances.json | 56 +++ .../single_input_two_outs_two_instances.json | 57 +++ .../single_mimc_gate_four_instances.json | 67 +++ .../single_mimc_gate_two_instances.json | 51 +++ .../single_mul_gate_two_instances.json | 46 ++ ...s_composed_single_input_two_instances.json | 47 ++ ...uts_select-input-3_gate_two_instances.json | 45 ++ std/recursion/sumcheck/arithengine.go | 27 +- std/recursion/sumcheck/challenge.go | 6 +- std/recursion/sumcheck/claim_intf.go | 40 +- std/recursion/sumcheck/claimable_gate.go | 36 +- .../sumcheck/claimable_multilinear.go | 10 +- std/recursion/sumcheck/polynomial.go | 117 ++--- std/recursion/sumcheck/proof.go | 26 +- std/recursion/sumcheck/prover.go | 108 +---- .../sumcheck/scalarmul_gates_test.go | 6 +- std/recursion/sumcheck/sumcheck_test.go | 4 +- std/recursion/sumcheck/verifier.go | 13 +- std/sumcheck/sumcheck.go | 4 +- 35 files changed, 827 insertions(+), 566 deletions(-) rename std/recursion/{sumcheck => gkr}/gkr_nonnative.go (74%) rename std/recursion/{sumcheck => gkr}/gkr_nonnative_test.go (97%) create mode 100644 std/recursion/gkr/test_vectors/mimc_five_levels_two_instances._json create mode 100644 std/recursion/gkr/test_vectors/resources/mimc_five_levels.json create mode 100644 std/recursion/gkr/test_vectors/resources/single_identity_gate.json create mode 100644 std/recursion/gkr/test_vectors/resources/single_input_two_identity_gates.json create mode 100644 std/recursion/gkr/test_vectors/resources/single_input_two_outs.json create mode 100644 std/recursion/gkr/test_vectors/resources/single_mimc_gate.json create mode 100644 std/recursion/gkr/test_vectors/resources/single_mul_gate.json create mode 100644 std/recursion/gkr/test_vectors/resources/two_identity_gates_composed_single_input.json create mode 100644 std/recursion/gkr/test_vectors/resources/two_inputs_select-input-3_gate.json create mode 100644 std/recursion/gkr/test_vectors/single_identity_gate_two_instances.json create mode 100644 std/recursion/gkr/test_vectors/single_input_two_identity_gates_two_instances.json create mode 100644 std/recursion/gkr/test_vectors/single_input_two_outs_two_instances.json create mode 100644 std/recursion/gkr/test_vectors/single_mimc_gate_four_instances.json create mode 100644 std/recursion/gkr/test_vectors/single_mimc_gate_two_instances.json create mode 100644 std/recursion/gkr/test_vectors/single_mul_gate_two_instances.json create mode 100644 std/recursion/gkr/test_vectors/two_identity_gates_composed_single_input_two_instances.json create mode 100644 std/recursion/gkr/test_vectors/two_inputs_select-input-3_gate_two_instances.json diff --git a/std/gkr/gkr_test.go b/std/gkr/gkr_test.go index c5b39fb879..8ec97a2954 100644 --- a/std/gkr/gkr_test.go +++ b/std/gkr/gkr_test.go @@ -8,11 +8,8 @@ import ( "reflect" "testing" - "github.com/consensys/gnark-crypto/ecc" "github.com/consensys/gnark/backend" "github.com/consensys/gnark/frontend" - "github.com/consensys/gnark/frontend/cs/r1cs" - "github.com/consensys/gnark/profile" fiatshamir "github.com/consensys/gnark/std/fiat-shamir" "github.com/consensys/gnark/std/polynomial" "github.com/consensys/gnark/test" @@ -77,14 +74,6 @@ func generateTestVerifier(path string, options ...option) func(t *testing.T) { TestCaseName: path, } - p:= profile.Start() - frontend.Compile(ecc.BN254.ScalarField(), r1cs.NewBuilder, validCircuit) - p.Stop() - - fmt.Println(p.NbConstraints()) - fmt.Println(p.Top()) - //r1cs.CheckUnconstrainedWires() - invalidCircuit := &GkrVerifierCircuit{ Input: make([][]frontend.Variable, len(testCase.Input)), Output: make([][]frontend.Variable, len(testCase.Output)), diff --git a/std/math/emulated/field.go b/std/math/emulated/field.go index 38e6427b1d..6c1f19b04d 100644 --- a/std/math/emulated/field.go +++ b/std/math/emulated/field.go @@ -101,7 +101,7 @@ func NewField[T FieldParams](native frontend.API) (*Field[T], error) { if uint(f.api.Compiler().FieldBitLen()) < 2*f.fParams.BitsPerLimb()+1 { return nil, fmt.Errorf("elements with limb length %d does not fit into scalar field", f.fParams.BitsPerLimb()) } - println("NewField mulcheck") + native.Compiler().Defer(f.performMulChecks) if storer, ok := native.(kvstore.Store); ok { storer.SetKeyValue(ctxKey[T]{}, f) diff --git a/std/math/emulated/field_mul.go b/std/math/emulated/field_mul.go index 66537cc846..278b9a5024 100644 --- a/std/math/emulated/field_mul.go +++ b/std/math/emulated/field_mul.go @@ -414,16 +414,6 @@ func (f *Field[T]) Mul(a, b *Element[T]) *Element[T] { return f.reduceAndOp(func(a, b *Element[T], u uint) *Element[T] { return f.mulMod(a, b, u, nil) }, f.mulPreCond, a, b) } -// // MulAcc computes a*b and reduces it modulo the field order. The returned Element -// // has default number of limbs and zero overflow. If the result wouldn't fit -// // into Element, then locally reduces the inputs first. Doesn't mutate inputs. -// // -// // For multiplying by a constant, use [Field[T].MulConst] method which is more -// // efficient. -// func (f *Field[T]) MulAcc(a, b *Element[T], c *Element[T]) *Element[T] { -// return f.reduceAndOp(func(a, b *Element[T], u uint) *Element[T] { return f.mulMod(a, b, u, nil) }, f.mulPreCond, a, b) -// } - // MulMod computes a*b and reduces it modulo the field order. The returned Element // has default number of limbs and zero overflow. // diff --git a/std/math/polynomial/polynomial.go b/std/math/polynomial/polynomial.go index 05bb9bb9b5..2240930661 100644 --- a/std/math/polynomial/polynomial.go +++ b/std/math/polynomial/polynomial.go @@ -93,18 +93,6 @@ func New[FR emulated.FieldParams](api frontend.API) (*Polynomial[FR], error) { }, nil } -func (p *Polynomial[FR]) Mul(a, b *emulated.Element[FR]) *emulated.Element[FR] { - return p.f.Mul(a, b) -} - -func (p *Polynomial[FR]) Add(a, b *emulated.Element[FR]) *emulated.Element[FR] { - return p.f.Add(a, b) -} - -func (p *Polynomial[FR]) AssertIsEqual(a, b *emulated.Element[FR]) { - p.f.AssertIsEqual(a, b) -} - // EvalUnivariate evaluates univariate polynomial at a point at. It returns the // evaluation. The method does not mutate the inputs. func (p *Polynomial[FR]) EvalUnivariate(P Univariate[FR], at *emulated.Element[FR]) *emulated.Element[FR] { diff --git a/std/recursion/sumcheck/gkr_nonnative.go b/std/recursion/gkr/gkr_nonnative.go similarity index 74% rename from std/recursion/sumcheck/gkr_nonnative.go rename to std/recursion/gkr/gkr_nonnative.go index 481327abeb..a7217968aa 100644 --- a/std/recursion/sumcheck/gkr_nonnative.go +++ b/std/recursion/gkr/gkr_nonnative.go @@ -2,19 +2,20 @@ package sumcheck import ( "fmt" + "math/big" "slices" "strconv" - "math/big" "sync" - "github.com/consensys/gnark/frontend" "github.com/consensys/gnark-crypto/utils" + "github.com/consensys/gnark/frontend" fiatshamir "github.com/consensys/gnark/std/fiat-shamir" + cryptofiatshamir "github.com/consensys/gnark-crypto/fiat-shamir" "github.com/consensys/gnark/std/math/bits" "github.com/consensys/gnark/std/math/emulated" "github.com/consensys/gnark/std/math/polynomial" "github.com/consensys/gnark/std/recursion" - polynative "github.com/consensys/gnark/std/polynomial" + "github.com/consensys/gnark/std/recursion/sumcheck" ) // @tabaie TODO: Contains many things copy-pasted from gnark-crypto. Generify somehow? @@ -28,7 +29,7 @@ import ( // Gate must be a low-degree polynomial type Gate interface { - Evaluate(...frontend.Variable) frontend.Variable // removed api ? + Evaluate(...big.Int) big.Int // removed api ? Degree() int } @@ -40,14 +41,14 @@ type Wire struct { // Gate must be a low-degree polynomial type GateFr[FR emulated.FieldParams] interface { - Evaluate(emuEngine[FR], ...emulated.Element[FR]) emulated.Element[FR] // removed api ? + Evaluate(...emulated.Element[FR]) emulated.Element[FR] Degree() int } type WireFr[FR emulated.FieldParams] struct { Gate GateFr[FR] Inputs []*WireFr[FR] // if there are no Inputs, the wire is assumed an input wire - nbUniqueOutputs int // number of other wires using it as input, not counting duplicates (i.e. providing two inputs to the same gate counts as one) + nbUniqueOutputs int // number of other wires using it as input, not counting duplicates (i.e. providing two inputs to the same gate counts as one) } type Circuit []Wire @@ -119,12 +120,12 @@ func (w WireFr[FR]) noProof() bool { } // WireAssignment is assignment of values to the same wire across many instances of the circuit -type WireAssignment map[*Wire]polynative.MultiLin +type WireAssignment map[*Wire]sumcheck.NativeMultilinear // WireAssignment is assignment of values to the same wire across many instances of the circuit type WireAssignmentFr[FR emulated.FieldParams] map[*WireFr[FR]]polynomial.Multilinear[FR] -type Proofs[FR emulated.FieldParams] []nonNativeProofGKR[FR] // for each layer, for each wire, a sumcheck (for each variable, a polynomial) +type Proofs[FR emulated.FieldParams] []sumcheck.Proof[FR] // for each layer, for each wire, a sumcheck (for each variable, a polynomial) type eqTimesGateEvalSumcheckLazyClaimsFr[FR emulated.FieldParams] struct { wire *WireFr[FR] @@ -134,9 +135,9 @@ type eqTimesGateEvalSumcheckLazyClaimsFr[FR emulated.FieldParams] struct { verifier *GKRVerifier[FR] } -func (e *eqTimesGateEvalSumcheckLazyClaimsFr[FR]) VerifyFinalEval(r []emulated.Element[FR], combinationCoeff, purportedValue emulated.Element[FR], proof EvaluationProofFr[FR]) error { +func (e *eqTimesGateEvalSumcheckLazyClaimsFr[FR]) VerifyFinalEval(r []emulated.Element[FR], combinationCoeff, purportedValue emulated.Element[FR], proof sumcheck.DeferredEvalProof[FR]) error { inputEvaluationsNoRedundancy := proof - + field := emulated.Field[FR]{} p, err := polynomial.New[FR](e.verifier.api) if err != nil { return err @@ -146,9 +147,9 @@ func (e *eqTimesGateEvalSumcheckLazyClaimsFr[FR]) VerifyFinalEval(r []emulated.E numClaims := len(e.evaluationPoints) evaluation := p.EvalEqual(polynomial.FromSlice(e.evaluationPoints[numClaims-1]), polynomial.FromSlice(r)) for i := numClaims - 2; i >= 0; i-- { - evaluation = p.Mul(evaluation, &combinationCoeff) + evaluation = field.Mul(evaluation, &combinationCoeff) eq := p.EvalEqual(polynomial.FromSlice(e.evaluationPoints[i]), polynomial.FromSlice(r)) - evaluation = p.Add(evaluation, eq) + evaluation = field.Add(evaluation, eq) } // the g(...) term @@ -179,11 +180,11 @@ func (e *eqTimesGateEvalSumcheckLazyClaimsFr[FR]) VerifyFinalEval(r []emulated.E if proofI != len(inputEvaluationsNoRedundancy) { return fmt.Errorf("%d input wire evaluations given, %d expected", len(inputEvaluationsNoRedundancy), proofI) } - gateEvaluation = e.wire.Gate.Evaluate(e.verifier.engine, inputEvaluations...) + gateEvaluation = e.wire.Gate.Evaluate(inputEvaluations...) } - evaluation = p.Mul(evaluation, &gateEvaluation) + evaluation = field.Mul(evaluation, &gateEvaluation) - p.AssertIsEqual(evaluation, &purportedValue) + field.AssertIsEqual(evaluation, &purportedValue) return nil } @@ -204,16 +205,16 @@ func (e *eqTimesGateEvalSumcheckLazyClaimsFr[FR]) Degree(int) int { return 1 + e.wire.Gate.Degree() } -func (e *eqTimesGateEvalSumcheckLazyClaimsFr[FR]) AssertEvaluation(r []*emulated.Element[FR], combinationCoeff, expectedValue *emulated.Element[FR], proof EvaluationProofFr[FR]) error { +func (e *eqTimesGateEvalSumcheckLazyClaimsFr[FR]) AssertEvaluation(r []*emulated.Element[FR], combinationCoeff, expectedValue *emulated.Element[FR], proof sumcheck.DeferredEvalProof[FR]) error { + field := emulated.Field[FR]{} val, err := e.verifier.p.EvalMultilinear(r, e.manager.assignment[e.wire]) if err != nil { return fmt.Errorf("evaluation error: %w", err) } - e.verifier.p.AssertIsEqual(val, expectedValue) + field.AssertIsEqual(val, expectedValue) return nil } - type claimsManagerFr[FR emulated.FieldParams] struct { claimsMap map[*WireFr[FR]]*eqTimesGateEvalSumcheckLazyClaimsFr[FR] assignment WireAssignmentFr[FR] @@ -255,30 +256,26 @@ func (m *claimsManagerFr[FR]) deleteClaim(wire *WireFr[FR]) { type claimsManager struct { claimsMap map[*Wire]*eqTimesGateEvalSumcheckLazyClaims assignment WireAssignment - memPool *polynative.Pool - workers *utils.WorkerPool } func newClaimsManager(c Circuit, assignment WireAssignment, o settings) (claims claimsManager) { claims.assignment = assignment claims.claimsMap = make(map[*Wire]*eqTimesGateEvalSumcheckLazyClaims, len(c)) - claims.memPool = o.pool - claims.workers = o.workers for i := range c { wire := &c[i] claims.claimsMap[wire] = &eqTimesGateEvalSumcheckLazyClaims{ wire: wire, - evaluationPoints: make([][]frontend.Variable, 0, wire.NbClaims()), - claimedEvaluations: make([]frontend.Variable, wire.NbClaims()), + evaluationPoints: make([][]big.Int, 0, wire.NbClaims()), + claimedEvaluations: make([]big.Int, wire.NbClaims()), manager: &claims, } } return } -func (m *claimsManager) add(wire *Wire, evaluationPoint []frontend.Variable, evaluation frontend.Variable) { +func (m *claimsManager) add(wire *Wire, evaluationPoint []big.Int, evaluation big.Int) { claim := m.claimsMap[wire] i := len(claim.evaluationPoints) claim.claimedEvaluations[i] = evaluation @@ -299,12 +296,12 @@ func (m *claimsManager) getClaim(wire *Wire) *eqTimesGateEvalSumcheckClaims { } if wire.IsInput() { - res.inputPreprocessors = []polynative.MultiLin{m.memPool.Clone(m.assignment[wire])} + res.inputPreprocessors = []sumcheck.NativeMultilinear{m.assignment[wire]} } else { - res.inputPreprocessors = make([]polynative.MultiLin, len(wire.Inputs)) + res.inputPreprocessors = make([]sumcheck.NativeMultilinear, len(wire.Inputs)) for inputI, inputW := range wire.Inputs { - res.inputPreprocessors[inputI] = m.memPool.Clone(m.assignment[inputW]) //will be edited later, so must be deep copied + res.inputPreprocessors[inputI] = m.assignment[inputW] //will be edited later, so must be deep copied } } return res @@ -316,20 +313,20 @@ func (m *claimsManager) deleteClaim(wire *Wire) { type eqTimesGateEvalSumcheckLazyClaims struct { wire *Wire - evaluationPoints [][]frontend.Variable // x in the paper - claimedEvaluations []frontend.Variable // y in the paper + evaluationPoints [][]big.Int // x in the paper + claimedEvaluations []big.Int // y in the paper manager *claimsManager } type eqTimesGateEvalSumcheckClaims struct { wire *Wire - evaluationPoints [][]frontend.Variable // x in the paper - claimedEvaluations []frontend.Variable // y in the paper + evaluationPoints [][]big.Int // x in the paper + claimedEvaluations []big.Int // y in the paper manager *claimsManager + engine *sumcheck.BigIntEngineWrapper + inputPreprocessors []sumcheck.NativeMultilinear // P_u in the paper, so that we don't need to pass along all the circuit's evaluations - inputPreprocessors []polynative.MultiLin // P_u in the paper, so that we don't need to pass along all the circuit's evaluations - - eq polynative.MultiLin // ∑_i τ_i eq(x_i, -) + eq sumcheck.NativeMultilinear // ∑_i τ_i eq(x_i, -) } func (e *eqTimesGateEvalSumcheckClaims) NbClaims() int { @@ -340,90 +337,72 @@ func (e *eqTimesGateEvalSumcheckClaims) NbVars() int { return len(e.evaluationPoints[0]) } -func (c *eqTimesGateEvalSumcheckClaims) Combine(api frontend.API, combinationCoeff *frontend.Variable) polynative.Polynomial { - varsNum := c.NbVars() +func (c *eqTimesGateEvalSumcheckClaims) Combine(combinationCoeff *big.Int) sumcheck.NativePolynomial { + varsNum := c.VarsNum() eqLength := 1 << varsNum - claimsNum := c.NbClaims() + claimsNum := c.ClaimsNum() // initialize the eq tables - c.eq = c.manager.memPool.Make(eqLength) + c.eq = make(sumcheck.NativeMultilinear, eqLength) - c.eq[0] = frontend.Variable(1) - c.eq.Eq(api, c.evaluationPoints[0]) + c.eq[0] = big.NewInt(1) + sumcheck.Eq(c.engine.Engine, c.eq, sumcheck.ReferenceBigIntSlice(c.evaluationPoints[0])) - newEq := polynative.MultiLin(c.manager.memPool.Make(eqLength)) + newEq := make(sumcheck.NativeMultilinear, eqLength) aI := combinationCoeff for k := 1; k < claimsNum; k++ { // TODO: parallelizable? // define eq_k = aᵏ eq(x_k1, ..., x_kn, *, ..., *) where x_ki are the evaluation points - frontend.Set(&newEq[0], &aI) + newEq[0].Set(aI) - c.eqAcc(api, c.eq, newEq, c.evaluationPoints[k]) + c.eqAcc(c.eq, newEq, c.evaluationPoints[k]) // newEq.Eq(c.evaluationPoints[k]) - // eqAsPoly := polynomial.Polynomial(c.eq) //just semantics - // eqAsPoly.Add(eqAsPoly, polynomial.Polynomial(newEq)) + // eqAsPoly := sumcheck.NativePolynomial(c.eq) //just semantics + // eqAsPoly.Add(eqAsPoly, sumcheck.NativePolynomial(newEq)) if k+1 < claimsNum { - api.Mul(&aI, &combinationCoeff) + aI.Mul(aI, combinationCoeff) } } - c.manager.memPool.Dump(newEq) - // from this point on the claim is a rather simple one: g = E(h) × R_v (P_u0(h), ...) where E and the P_u are multilinear and R_v is of low-degree - - return c.computeGJ(api) + return c.computeGJ() } // eqAcc sets m to an eq table at q and then adds it to e -func (c *eqTimesGateEvalSumcheckClaims) eqAcc(api frontend.API, e, m polynative.MultiLin, q []frontend.Variable) { +func (c *eqTimesGateEvalSumcheckClaims) eqAcc(e, m sumcheck.NativeMultilinear, q []big.Int) { n := len(q) //At the end of each iteration, m(h₁, ..., hₙ) = Eq(q₁, ..., qᵢ₊₁, h₁, ..., hᵢ₊₁) for i := range q { // In the comments we use a 1-based index so q[i] = qᵢ₊₁ // go through all assignments of (b₁, ..., bᵢ) ∈ {0,1}ⁱ - const threshold = 1 << 6 k := 1 << i - if k < threshold { for j := 0; j < k; j++ { j0 := j << (n - i) // bᵢ₊₁ = 0 j1 := j0 + 1<<(n-1-i) // bᵢ₊₁ = 1 - m[j1] = api.Mul(&q[i], &m[j0]) // Eq(q₁, ..., qᵢ₊₁, b₁, ..., bᵢ, 1) = Eq(q₁, ..., qᵢ, b₁, ..., bᵢ) Eq(qᵢ₊₁, 1) = Eq(q₁, ..., qᵢ, b₁, ..., bᵢ) qᵢ₊₁ - m[j0] = api.Sub(&m[j0], &m[j1]) // Eq(q₁, ..., qᵢ₊₁, b₁, ..., bᵢ, 0) = Eq(q₁, ..., qᵢ, b₁, ..., bᵢ) Eq(qᵢ₊₁, 0) = Eq(q₁, ..., qᵢ, b₁, ..., bᵢ) (1-qᵢ₊₁) + m[j1].Mul(&q[i], m[j0]) // Eq(q₁, ..., qᵢ₊₁, b₁, ..., bᵢ, 1) = Eq(q₁, ..., qᵢ, b₁, ..., bᵢ) Eq(qᵢ₊₁, 1) = Eq(q₁, ..., qᵢ, b₁, ..., bᵢ) qᵢ₊₁ + m[j0].Sub(m[j0], m[j1]) // Eq(q₁, ..., qᵢ₊₁, b₁, ..., bᵢ, 0) = Eq(q₁, ..., qᵢ, b₁, ..., bᵢ) Eq(qᵢ₊₁, 0) = Eq(q₁, ..., qᵢ, b₁, ..., bᵢ) (1-qᵢ₊₁) } - } else { - c.manager.workers.Submit(k, func(start, end int) { - for j := start; j < end; j++ { - j0 := j << (n - i) // bᵢ₊₁ = 0 - j1 := j0 + 1<<(n-1-i) // bᵢ₊₁ = 1 - - m[j1] = api.Mul(&q[i], &m[j0]) // Eq(q₁, ..., qᵢ₊₁, b₁, ..., bᵢ, 1) = Eq(q₁, ..., qᵢ, b₁, ..., bᵢ) Eq(qᵢ₊₁, 1) = Eq(q₁, ..., qᵢ, b₁, ..., bᵢ) qᵢ₊₁ - m[j0] = api.Sub(&m[j0], &m[j1]) // Eq(q₁, ..., qᵢ₊₁, b₁, ..., bᵢ, 0) = Eq(q₁, ..., qᵢ, b₁, ..., bᵢ) Eq(qᵢ₊₁, 0) = Eq(q₁, ..., qᵢ, b₁, ..., bᵢ) (1-qᵢ₊₁) - } - }, 1024).Wait() - } } - c.manager.workers.Submit(len(e), func(start, end int) { - for i := start; i < end; i++ { - e[i] = api.Add(&e[i], &m[i]) - } - }, 512).Wait() - // e.Add(e, polynomial.Polynomial(m)) + for i := 0; i < len(e); i++ { + e[i].Add(e[i], m[i]) + } + // e.Add(e, sumcheck.NativePolynomial(m)) } // computeGJ: gⱼ = ∑_{0≤i<2ⁿ⁻ʲ} g(r₁, r₂, ..., rⱼ₋₁, Xⱼ, i...) = ∑_{0≤i<2ⁿ⁻ʲ} E(r₁, ..., X_j, i...) R_v( P_u0(r₁, ..., X_j, i...), ... ) where E = ∑ eq_k // the polynomial is represented by the evaluations g_j(1), g_j(2), ..., g_j(deg(g_j)). // The value g_j(0) is inferred from the equation g_j(0) + g_j(1) = gⱼ₋₁(rⱼ₋₁). By convention, g₀ is a constant polynomial equal to the claimed sum. -func (c *eqTimesGateEvalSumcheckClaims) computeGJ(api frontend.API) polynative.Polynomial { +func (c *eqTimesGateEvalSumcheckClaims) computeGJ() sumcheck.NativePolynomial { degGJ := 1 + c.wire.Gate.Degree() // guaranteed to be no smaller than the actual deg(g_j) nbGateIn := len(c.inputPreprocessors) // Let f ∈ { E(r₁, ..., X_j, d...) } ∪ {P_ul(r₁, ..., X_j, d...) }. It is linear in X_j, so f(m) = m×(f(1) - f(0)) + f(0), and f(0), f(1) are easily computed from the bookkeeping tables - s := make([]polynative.MultiLin, nbGateIn+1) + s := make([]sumcheck.NativeMultilinear, nbGateIn+1) s[0] = c.eq copy(s[1:], c.inputPreprocessors) @@ -431,23 +410,23 @@ func (c *eqTimesGateEvalSumcheckClaims) computeGJ(api frontend.API) polynative.P nbInner := len(s) // wrt output, which has high nbOuter and low nbInner nbOuter := len(s[0]) / 2 - gJ := make([]frontend.Variable, degGJ) + gJ := make([]*big.Int, degGJ) var mu sync.Mutex computeAll := func(start, end int) { - var step frontend.Variable + var step big.Int - res := make([]frontend.Variable, degGJ) - operands := make([]frontend.Variable, degGJ*nbInner) + res := make([]big.Int, degGJ) + operands := make([]big.Int, degGJ*nbInner) for i := start; i < end; i++ { block := nbOuter + i for j := 0; j < nbInner; j++ { - frontend.Set(step, s[j][i]) - frontend.Set(operands[j], s[j][block]) - step = api.Sub(&operands[j], &step) + step.Set(s[j][i]) + operands[j].Set(s[j][block]) + step.Sub(&operands[j], &step) for d := 1; d < degGJ; d++ { - operands[d*nbInner+j] = api.Add(&operands[(d-1)*nbInner+j], &step) + operands[d*nbInner+j].Add(&operands[(d-1)*nbInner+j], &step) } } @@ -455,14 +434,14 @@ func (c *eqTimesGateEvalSumcheckClaims) computeGJ(api frontend.API) polynative.P _e := nbInner for d := 0; d < degGJ; d++ { summand := c.wire.Gate.Evaluate(operands[_s+1 : _e]...) - summand = api.Mul(&summand, &operands[_s]) - res[d] = api.Add(&res[d], &summand) + summand.Mul(&summand, &operands[_s]) + res[d].Add(&res[d], &summand) _s, _e = _e, _e+nbInner } } mu.Lock() for i := 0; i < len(gJ); i++ { - gJ[i] = api.Add(&gJ[i], &res[i]) + gJ[i].Add(gJ[i], &res[i]) } mu.Unlock() } @@ -472,9 +451,7 @@ func (c *eqTimesGateEvalSumcheckClaims) computeGJ(api frontend.API) polynative.P if nbOuter < minBlockSize { // no parallelization computeAll(0, nbOuter) - } else { - c.manager.workers.Submit(nbOuter, computeAll, minBlockSize).Wait() - } + } // Perf-TODO: Separate functions Gate.TotalDegree and Gate.Degree(i) so that we get to use possibly smaller values for degGJ. Won't help with MiMC though @@ -482,33 +459,32 @@ func (c *eqTimesGateEvalSumcheckClaims) computeGJ(api frontend.API) polynative.P } // Next first folds the "preprocessing" and "eq" polynomials then compute the new g_j -func (c *eqTimesGateEvalSumcheckClaims) Next(api frontend.API, element *frontend.Variable) polynative.Polynomial { - const minBlockSize = 512 +func (c *eqTimesGateEvalSumcheckClaims) Next(element *big.Int) sumcheck.NativePolynomial { + const minBlockSize = 512 //asktodo whats the block size for our usecase/number of variable in multilinear poly? n := len(c.eq) / 2 if n < minBlockSize { // no parallelization for i := 0; i < len(c.inputPreprocessors); i++ { - c.inputPreprocessors[i].Fold(api, element) - } - c.eq.Fold(api, element) - } else { - wgs := make([]*sync.WaitGroup, len(c.inputPreprocessors)) - for i := 0; i < len(c.inputPreprocessors); i++ { - wgs[i] = c.manager.workers.Submit(n, c.inputPreprocessors[i].FoldParallel(api, element), minBlockSize) - } - c.manager.workers.Submit(n, c.eq.FoldParallel(api, element), minBlockSize).Wait() - for _, wg := range wgs { - wg.Wait() + sumcheck.Fold(c.engine.Engine, c.inputPreprocessors[i], element) } + sumcheck.Fold(c.engine.Engine, c.eq, element) } - return c.computeGJ(api) + return c.computeGJ() +} + +func (c *eqTimesGateEvalSumcheckClaims) VarsNum() int { + return len(c.evaluationPoints[0]) +} + +func (c *eqTimesGateEvalSumcheckClaims) ClaimsNum() int { + return len(c.claimedEvaluations) } -func (c *eqTimesGateEvalSumcheckClaims) ProverFinalEval(api frontend.API, r []frontend.Variable) nativeEvaluationProof { +func (c *eqTimesGateEvalSumcheckClaims) ProverFinalEval(r []*big.Int) sumcheck.NativeEvaluationProof { //defer the proof, return list of claims - evaluations := make([]frontend.Variable, 0, len(c.wire.Inputs)) + evaluations := make([]big.Int, 0, len(c.wire.Inputs)) noMoreClaimsAllowed := make(map[*Wire]struct{}, len(c.inputPreprocessors)) noMoreClaimsAllowed[c.wire] = struct{}{} @@ -516,15 +492,12 @@ func (c *eqTimesGateEvalSumcheckClaims) ProverFinalEval(api frontend.API, r []fr puI := c.inputPreprocessors[inI] if _, found := noMoreClaimsAllowed[in]; !found { noMoreClaimsAllowed[in] = struct{}{} - puI.Fold(api, r[len(r)-1]) - c.manager.add(in, r, puI[0]) - evaluations = append(evaluations, puI[0]) + sumcheck.Fold(c.engine.Engine, puI, r[len(r)-1]) + c.manager.add(in, sumcheck.DereferenceBigIntSlice(r), *puI[0]) + evaluations = append(evaluations, *puI[0]) } - c.manager.memPool.Dump(puI) } - c.manager.memPool.Dump(c.claimedEvaluations, c.eq) - return evaluations } @@ -532,7 +505,7 @@ func (e *eqTimesGateEvalSumcheckClaims) Degree(int) int { return 1 + e.wire.Gate.Degree() } -func setup(api frontend.API, c Circuit, assignment WireAssignment, transcriptSettings fiatshamir.Settings, options ...OptionGkr) (settings, error) { +func setup(api frontend.API, current *big.Int, target *big.Int, c Circuit, assignment WireAssignment, options ...OptionGkr) (settings, error) { var o settings var err error for _, option := range options { @@ -545,76 +518,51 @@ func setup(api frontend.API, c Circuit, assignment WireAssignment, transcriptSet return o, fmt.Errorf("number of instances must be power of 2") } - if o.pool == nil { - pool := polynative.NewPool(c.MemoryRequirements(nbInstances)...) - o.pool = &pool - } - - if o.workers == nil { - o.workers = utils.NewWorkerPool() - } - if o.sorted == nil { o.sorted = topologicalSort(c) } - if transcriptSettings.Transcript == nil { - challengeNames := ChallengeNames(o.sorted, o.nbVars, transcriptSettings.Prefix) - o.transcript = fiatshamir.NewTranscript(api, transcriptSettings.Hash, challengeNames) - if err = o.transcript.Bind(challengeNames[0], transcriptSettings.BaseChallenges); err != nil { - return o, err + if o.transcript == nil { + + challengeNames := ChallengeNames(o.sorted, o.nbVars, o.transcriptPrefix) + fshash, err := recursion.NewShort(current, target) + if err != nil { + return o, fmt.Errorf("new short hash: %w", err) + } + o.transcript = cryptofiatshamir.NewTranscript(fshash, challengeNames...) + if err != nil { + return o, fmt.Errorf("new transcript: %w", err) + } + + // bind challenge from previous round if it is a continuation + if err = sumcheck.BindChallengeProver(o.transcript, challengeNames[0], o.baseChallenges); err != nil { + return o, fmt.Errorf("base: %w", err) } + } else { - o.transcript, o.transcriptPrefix = transcriptSettings.Transcript, transcriptSettings.Prefix + o.transcript, o.transcriptPrefix = o.transcript, o.transcriptPrefix } return o, err } type settings struct { - pool *polynative.Pool sorted []*Wire - transcript *fiatshamir.Transcript + transcript *cryptofiatshamir.Transcript + baseChallenges []*big.Int transcriptPrefix string nbVars int - workers *utils.WorkerPool } type OptionSet func(*settings) -func WithPool(pool *polynative.Pool) OptionSet { - return func(options *settings) { - options.pool = pool - } -} - func WithSortedCircuitSet(sorted []*Wire) OptionSet { return func(options *settings) { options.sorted = sorted } } -func WithWorkers(workers *utils.WorkerPool) OptionSet { - return func(options *settings) { - options.workers = workers - } -} - -// MemoryRequirements returns an increasing vector of memory allocation sizes required for proving a GKR statement -func (c Circuit) MemoryRequirements(nbInstances int) []int { - res := []int{256, nbInstances, nbInstances * (c.maxGateDegree() + 1)} - - if res[0] > res[1] { // make sure it's sorted - res[0], res[1] = res[1], res[0] - if res[1] > res[2] { - res[1], res[2] = res[2], res[1] - } - } - - return res -} - -type ProofGkr []nativeProofGKR +type NativeProofs []sumcheck.NativeProof type OptionGkr func(*settings) @@ -633,38 +581,53 @@ func WithSortedCircuit[FR emulated.FieldParams](sorted []*WireFr[FR]) OptionFr[F } } +type config struct { + prefix string +} + +func newConfig(opts ...sumcheck.Option) (*config, error) { + cfg := new(config) + for i := range opts { + if err := opts[i](cfg); err != nil { + return nil, fmt.Errorf("apply option %d: %w", i, err) + } + } + return cfg, nil +} + // Verifier allows to check sumcheck proofs. See [NewVerifier] for initializing the instance. type GKRVerifier[FR emulated.FieldParams] struct { - api frontend.API - engine emuEngine[FR] - f *emulated.Field[FR] - p *polynomial.Polynomial[FR] + api frontend.API + f *emulated.Field[FR] + p *polynomial.Polynomial[FR] *config } -// NewVerifier initializes a new sumcheck verifier for the parametric emulated -// field FR. It returns an error if the given options are invalid or when -// initializing emulated arithmetic fails. -func NewGKRVerifier[FR emulated.FieldParams](api frontend.API, opts ...Option) (*GKRVerifier[FR], error) { - cfg, err := newConfig(opts...) - if err != nil { - return nil, fmt.Errorf("new configuration: %w", err) - } - f, err := emulated.NewField[FR](api) - if err != nil { - return nil, fmt.Errorf("new field: %w", err) - } - p, err := polynomial.New[FR](api) - if err != nil { - return nil, fmt.Errorf("new polynomial: %w", err) - } - return &GKRVerifier[FR]{ - api: api, - f: f, - p: p, - config: cfg, - }, nil -} +// // NewVerifier initializes a new sumcheck verifier for the parametric emulated +// // field FR. It returns an error if the given options are invalid or when +// // initializing emulated arithmetic fails. +// func NewGKRVerifier[FR emulated.FieldParams](api frontend.API, opts ...sumcheck.Option) (*GKRVerifier[FR], error) { +// cfg, err := newConfig(opts...) +// if err != nil { +// return nil, fmt.Errorf("new configuration: %w", err) +// } + +// f, err := emulated.NewField[FR](api) +// if err != nil { +// return nil, fmt.Errorf("new field: %w", err) +// } + +// p, err := polynomial.New[FR](api) +// if err != nil { +// return nil, fmt.Errorf("new polynomial: %w", err) +// } +// return &GKRVerifier[FR]{ +// api: api, +// f: f, +// p: p, +// config: cfg, +// }, nil +// } // bindChallenge binds the values for challengeName using in-circuit Fiat-Shamir transcript. func (v *GKRVerifier[FR]) bindChallenge(fs *fiatshamir.Transcript, challengeName string, values []emulated.Element[FR]) error { @@ -858,65 +821,67 @@ func (v *GKRVerifier[FR]) getChallengesFr(transcript *fiatshamir.Transcript, nam var challenge emulated.Element[FR] var fr FR for i, name := range names { - nativeChallenge, err := transcript.ComputeChallenge(name); + nativeChallenge, err := transcript.ComputeChallenge(name) if err != nil { return nil, fmt.Errorf("compute challenge %s: %w", names, err) } - // TODO: when implementing better way (construct from limbs instead of bits) then change + // TODO: when implementing better way (construct from limbs instead of bits) then change chBts := bits.ToBinary(v.api, nativeChallenge, bits.WithNbDigits(fr.Modulus().BitLen())) challenge = *v.f.FromBits(chBts...) challenges[i] = challenge - + } return challenges, nil } // Prove consistency of the claimed assignment -func Prove(api frontend.API, target *big.Int, c Circuit, assignment WireAssignment, transcriptSettings fiatshamir.Settings, options ...OptionGkr) (ProofGkr, error) { - o, err := setup(api, c, assignment, transcriptSettings, options...) +func Prove(api frontend.API, current *big.Int, target *big.Int, c Circuit, assignment WireAssignment, transcriptSettings fiatshamir.Settings, options ...OptionGkr) (NativeProofs, error) { + be := sumcheck.NewBigIntEngine(target) + o, err := setup(api, current, target, c, assignment, options...) if err != nil { return nil, err } - defer o.workers.Stop() claims := newClaimsManager(c, assignment, o) - proof := make(ProofGkr, len(c)) + proof := make(NativeProofs, len(c)) // firstChallenge called rho in the paper - var firstChallenge []frontend.Variable - firstChallenge, err = getChallenges(o.transcript, getFirstChallengeNames(o.nbVars, o.transcriptPrefix)) - if err != nil { - return nil, err + var firstChallenge []*big.Int + challengeNames := getFirstChallengeNames(o.nbVars, o.transcriptPrefix) + for i := 0; i < len(challengeNames); i++ { + firstChallenge[i], _, err = sumcheck.DeriveChallengeProver(o.transcript, challengeNames[i:], nil) + if err != nil { + return nil, err + } } - wirePrefix := o.transcriptPrefix + "w" - var baseChallenge []frontend.Variable + var baseChallenge []*big.Int for i := len(c) - 1; i >= 0; i-- { wire := o.sorted[i] if wire.IsOutput() { - claims.add(wire, firstChallenge, assignment[wire].EvaluatePool(api, firstChallenge, claims.memPool)) + evaluation := sumcheck.Eval(be, assignment[wire], firstChallenge) + claims.add(wire, sumcheck.DereferenceBigIntSlice(firstChallenge), *evaluation) } claim := claims.getClaim(wire) if wire.noProof() { // input wires with one claim only - proof[i] = nativeProofGKR{ - PartialSumPolys: []polynative.Polynomial{}, - FinalEvalProof: []frontend.Variable{}, + proof[i] = sumcheck.NativeProof{ + RoundPolyEvaluations: []sumcheck.NativePolynomial{}, + FinalEvalProof: []big.Int{}, } } else { - if proof[i], err = SumcheckProve( - api, target, claim, fiatshamir.WithTranscript(o.transcript, wirePrefix+strconv.Itoa(i)+".", baseChallenge...), + if proof[i], err = sumcheck.Prove( + current, target, claim, ); err != nil { return proof, err } - finalEvalProof := proof[i].FinalEvalProof.([]frontend.Variable) - baseChallenge = make([]frontend.Variable, len(finalEvalProof)) + finalEvalProof := proof[i].FinalEvalProof.([]*big.Int) + baseChallenge = make([]*big.Int, len(finalEvalProof)) for j := range finalEvalProof { - bytes := frontend.ToBytes(finalEvalProof[j]) - baseChallenge[j] = bytes[:] + baseChallenge[j] = finalEvalProof[j] } } // the verifier checks a single claim about input wires itself @@ -927,14 +892,14 @@ func Prove(api frontend.API, target *big.Int, c Circuit, assignment WireAssignme } // Verify the consistency of the claimed output with the claimed input -// Unlike in Prove, the assignment argument need not be complete, +// Unlike in Prove, the assignment argument need not be complete, // Use valueOfProof[FR](proof) to convert nativeproof by prover into nonnativeproof used by in-circuit verifier func (v *GKRVerifier[FR]) Verify(api frontend.API, c CircuitFr[FR], assignment WireAssignmentFr[FR], proof Proofs[FR], transcriptSettings fiatshamir.SettingsFr[FR], options ...OptionFr[FR]) error { o, err := v.setup(api, c, assignment, transcriptSettings, options...) if err != nil { return err } - sumcheck_verifier, err := NewVerifier[FR](api) + sumcheck_verifier, err := sumcheck.NewVerifier[FR](api) if err != nil { return err } @@ -967,7 +932,7 @@ func (v *GKRVerifier[FR]) Verify(api frontend.API, c CircuitFr[FR], assignment W if wire.noProof() { // input wires with one claim only // make sure the proof is empty - if len(finalEvalProof) != 0 || len(proofW.PartialSumPolys) != 0 { + if len(finalEvalProof) != 0 || len(proofW.RoundPolyEvaluations) != 0 { return fmt.Errorf("no proof allowed for input wire with a single claim") } @@ -996,7 +961,7 @@ func (v *GKRVerifier[FR]) Verify(api frontend.API, c CircuitFr[FR], assignment W type IdentityGate struct{} -func (IdentityGate) Evaluate(input ...frontend.Variable) frontend.Variable { +func (IdentityGate) Evaluate(input ...big.Int) big.Int { return input[0] } @@ -1228,16 +1193,16 @@ func (a WireAssignmentFr[FR]) NumVars() int { func (p Proofs[FR]) Serialize() []emulated.Element[FR] { size := 0 for i := range p { - for j := range p[i].PartialSumPolys { - size += len(p[i].PartialSumPolys[j]) + for j := range p[i].RoundPolyEvaluations { + size += len(p[i].RoundPolyEvaluations[j]) } size += len(p[i].FinalEvalProof) } res := make([]emulated.Element[FR], 0, size) for i := range p { - for j := range p[i].PartialSumPolys { - res = append(res, p[i].PartialSumPolys[j]...) + for j := range p[i].RoundPolyEvaluations { + res = append(res, p[i].RoundPolyEvaluations[j]...) } res = append(res, p[i].FinalEvalProof...) } @@ -1277,9 +1242,9 @@ func DeserializeProof[FR emulated.FieldParams](sorted []*WireFr[FR], serializedP reader := variablesReader[FR](serializedProof) for i, wI := range sorted { if !wI.noProof() { - proof[i].PartialSumPolys = make([]polynomial.Univariate[FR], logNbInstances) - for j := range proof[i].PartialSumPolys { - proof[i].PartialSumPolys[j] = reader.nextN(wI.Gate.Degree() + 1) + proof[i].RoundPolyEvaluations = make([]polynomial.Univariate[FR], logNbInstances) + for j := range proof[i].RoundPolyEvaluations { + proof[i].RoundPolyEvaluations[j] = reader.nextN(wI.Gate.Degree() + 1) } } proof[i].FinalEvalProof = reader.nextN(wI.nbUniqueInputs()) @@ -1324,7 +1289,3 @@ func (a AddGate[FR]) Evaluate(api emuEngine[FR], v ...emulated.Element[FR]) emul func (a AddGate[FR]) Degree() int { return 1 } - - - - diff --git a/std/recursion/sumcheck/gkr_nonnative_test.go b/std/recursion/gkr/gkr_nonnative_test.go similarity index 97% rename from std/recursion/sumcheck/gkr_nonnative_test.go rename to std/recursion/gkr/gkr_nonnative_test.go index 5633e5b2fd..8acc22b3b7 100644 --- a/std/recursion/sumcheck/gkr_nonnative_test.go +++ b/std/recursion/gkr/gkr_nonnative_test.go @@ -8,28 +8,29 @@ import ( "reflect" "testing" - "github.com/consensys/gnark/std/math/emulated" "github.com/consensys/gnark-crypto/ecc" "github.com/consensys/gnark/backend" "github.com/consensys/gnark/frontend" "github.com/consensys/gnark/frontend/cs/r1cs" "github.com/consensys/gnark/profile" fiatshamir "github.com/consensys/gnark/std/fiat-shamir" + "github.com/consensys/gnark/std/hash" + "github.com/consensys/gnark/std/math/emulated" mathpoly "github.com/consensys/gnark/std/math/polynomial" + "github.com/consensys/gnark/std/recursion" + "github.com/consensys/gnark/std/recursion/sumcheck" "github.com/consensys/gnark/test" "github.com/stretchr/testify/assert" - "github.com/consensys/gnark/std/recursion" - "github.com/consensys/gnark/std/hash" ) -type FR = emulated.P256Fp +type FR = emulated.BN254Fr var Gates = map[string]GateFr[FR]{ "identity": IdentityGateFr[FR]{}, "add": AddGate[FR]{}, "mul": MulGate[FR]{}, } -func TestGkrVectors(t *testing.T) { +func TestGkrVectorsFr(t *testing.T) { testDirPath := "./test_vectors" dirEntries, err := os.ReadDir(testDirPath) @@ -297,7 +298,7 @@ func init() { Gates["select-input-3"] = _select(2) } -func (g _select) Evaluate(_ emuEngine[FR], in ...emulated.Element[FR]) emulated.Element[FR] { +func (g _select) Evaluate(_ sumcheck.emuEngine[FR], in ...emulated.Element[FR]) emulated.Element[FR] { return in[g] } @@ -309,7 +310,7 @@ type PrintableProof []PrintableSumcheckProof type PrintableSumcheckProof struct { FinalEvalProof interface{} `json:"finalEvalProof"` - PartialSumPolys [][]interface{} `json:"partialSumPolys"` + RoundPolyEvaluations [][]interface{} `json:"partialSumPolys"` } func unmarshalProof(printable PrintableProof) (proof Proofs[FR]) { @@ -328,9 +329,9 @@ func unmarshalProof(printable PrintableProof) (proof Proofs[FR]) { proof[i].FinalEvalProof = nil } - proof[i].PartialSumPolys = make([]mathpoly.Univariate[FR], len(printable[i].PartialSumPolys)) - for k := range printable[i].PartialSumPolys { - proof[i].PartialSumPolys[k] = ToVariableSliceFr[FR](printable[i].PartialSumPolys[k]) + proof[i].RoundPolyEvaluations = make([]mathpoly.Univariate[FR], len(printable[i].RoundPolyEvaluations)) + for k := range printable[i].RoundPolyEvaluations { + proof[i].RoundPolyEvaluations[k] = ToVariableSliceFr[FR](printable[i].RoundPolyEvaluations[k]) } } return diff --git a/std/recursion/gkr/test_vectors/mimc_five_levels_two_instances._json b/std/recursion/gkr/test_vectors/mimc_five_levels_two_instances._json new file mode 100644 index 0000000000..446d23fdb2 --- /dev/null +++ b/std/recursion/gkr/test_vectors/mimc_five_levels_two_instances._json @@ -0,0 +1,7 @@ +{ + "hash": {"type": "const", "val": -1}, + "circuit": "resources/mimc_five_levels.json", + "input": [[1, 3], [1, 3], [1, 3], [1, 3], [1, 3], [1, 3]], + "output": [[4, 3]], + "proof": [[{"partialSumPolys":[[3,4]],"finalEvalProof":[3]}],[{"partialSumPolys":null,"finalEvalProof":null}]] +} \ No newline at end of file diff --git a/std/recursion/gkr/test_vectors/resources/mimc_five_levels.json b/std/recursion/gkr/test_vectors/resources/mimc_five_levels.json new file mode 100644 index 0000000000..3dd74f42b5 --- /dev/null +++ b/std/recursion/gkr/test_vectors/resources/mimc_five_levels.json @@ -0,0 +1,36 @@ +[ + [ + { + "gate": "mimc", + "inputs": [[1,0], [5,5]] + } + ], + [ + { + "gate": "mimc", + "inputs": [[2,0], [5,4]] + } + ], + [ + { + "gate": "mimc", + "inputs": [[3,0], [5,3]] + } + ], + [ + { + "gate": "mimc", + "inputs": [[4,0], [5,2]] + } + ], + [ + { + "gate": "mimc", + "inputs": [[5,0], [5,1]] + } + ], + [ + {"gate": null, "inputs": []}, {"gate": null, "inputs": []}, {"gate": null, "inputs": []}, + {"gate": null, "inputs": []}, {"gate": null, "inputs": []}, {"gate": null, "inputs": []} + ] +] \ No newline at end of file diff --git a/std/recursion/gkr/test_vectors/resources/single_identity_gate.json b/std/recursion/gkr/test_vectors/resources/single_identity_gate.json new file mode 100644 index 0000000000..a44066c7b4 --- /dev/null +++ b/std/recursion/gkr/test_vectors/resources/single_identity_gate.json @@ -0,0 +1,10 @@ +[ + { + "gate": null, + "inputs": [] + }, + { + "gate": "identity", + "inputs": [0] + } +] \ No newline at end of file diff --git a/std/recursion/gkr/test_vectors/resources/single_input_two_identity_gates.json b/std/recursion/gkr/test_vectors/resources/single_input_two_identity_gates.json new file mode 100644 index 0000000000..6181784fa8 --- /dev/null +++ b/std/recursion/gkr/test_vectors/resources/single_input_two_identity_gates.json @@ -0,0 +1,14 @@ +[ + { + "gate": null, + "inputs": [] + }, + { + "gate": "identity", + "inputs": [0] + }, + { + "gate": "identity", + "inputs": [0] + } +] \ No newline at end of file diff --git a/std/recursion/gkr/test_vectors/resources/single_input_two_outs.json b/std/recursion/gkr/test_vectors/resources/single_input_two_outs.json new file mode 100644 index 0000000000..c577c1cace --- /dev/null +++ b/std/recursion/gkr/test_vectors/resources/single_input_two_outs.json @@ -0,0 +1,14 @@ +[ + { + "gate": null, + "inputs": [] + }, + { + "gate": "mul", + "inputs": [0, 0] + }, + { + "gate": "identity", + "inputs": [0] + } +] \ No newline at end of file diff --git a/std/recursion/gkr/test_vectors/resources/single_mimc_gate.json b/std/recursion/gkr/test_vectors/resources/single_mimc_gate.json new file mode 100644 index 0000000000..c89e7d52ae --- /dev/null +++ b/std/recursion/gkr/test_vectors/resources/single_mimc_gate.json @@ -0,0 +1,7 @@ +[ + {"gate": null, "inputs": []}, {"gate": null, "inputs": []}, + { + "gate": "mimc", + "inputs": [0, 1] + } +] \ No newline at end of file diff --git a/std/recursion/gkr/test_vectors/resources/single_mul_gate.json b/std/recursion/gkr/test_vectors/resources/single_mul_gate.json new file mode 100644 index 0000000000..0f65a07edf --- /dev/null +++ b/std/recursion/gkr/test_vectors/resources/single_mul_gate.json @@ -0,0 +1,14 @@ +[ + { + "gate": null, + "inputs": [] + }, + { + "gate": null, + "inputs": [] + }, + { + "gate": "mul", + "inputs": [0, 1] + } +] \ No newline at end of file diff --git a/std/recursion/gkr/test_vectors/resources/two_identity_gates_composed_single_input.json b/std/recursion/gkr/test_vectors/resources/two_identity_gates_composed_single_input.json new file mode 100644 index 0000000000..26681c2f89 --- /dev/null +++ b/std/recursion/gkr/test_vectors/resources/two_identity_gates_composed_single_input.json @@ -0,0 +1,14 @@ +[ + { + "gate": null, + "inputs": [] + }, + { + "gate": "identity", + "inputs": [0] + }, + { + "gate": "identity", + "inputs": [1] + } +] \ No newline at end of file diff --git a/std/recursion/gkr/test_vectors/resources/two_inputs_select-input-3_gate.json b/std/recursion/gkr/test_vectors/resources/two_inputs_select-input-3_gate.json new file mode 100644 index 0000000000..cdbdb3b471 --- /dev/null +++ b/std/recursion/gkr/test_vectors/resources/two_inputs_select-input-3_gate.json @@ -0,0 +1,14 @@ +[ + { + "gate": null, + "inputs": [] + }, + { + "gate": null, + "inputs": [] + }, + { + "gate": "select-input-3", + "inputs": [0,0,1] + } +] \ No newline at end of file diff --git a/std/recursion/gkr/test_vectors/single_identity_gate_two_instances.json b/std/recursion/gkr/test_vectors/single_identity_gate_two_instances.json new file mode 100644 index 0000000000..ce326d0a63 --- /dev/null +++ b/std/recursion/gkr/test_vectors/single_identity_gate_two_instances.json @@ -0,0 +1,36 @@ +{ + "hash": { + "type": "const", + "val": -1 + }, + "circuit": "resources/single_identity_gate.json", + "input": [ + [ + 4, + 3 + ] + ], + "output": [ + [ + 4, + 3 + ] + ], + "proof": [ + { + "finalEvalProof": [], + "partialSumPolys": [] + }, + { + "finalEvalProof": [ + 5 + ], + "partialSumPolys": [ + [ + -3, + -8 + ] + ] + } + ] +} \ No newline at end of file diff --git a/std/recursion/gkr/test_vectors/single_input_two_identity_gates_two_instances.json b/std/recursion/gkr/test_vectors/single_input_two_identity_gates_two_instances.json new file mode 100644 index 0000000000..2c95f044f2 --- /dev/null +++ b/std/recursion/gkr/test_vectors/single_input_two_identity_gates_two_instances.json @@ -0,0 +1,56 @@ +{ + "hash": { + "type": "const", + "val": -1 + }, + "circuit": "resources/single_input_two_identity_gates.json", + "input": [ + [ + 2, + 3 + ] + ], + "output": [ + [ + 2, + 3 + ], + [ + 2, + 3 + ] + ], + "proof": [ + { + "finalEvalProof": [], + "partialSumPolys": [ + [ + 0, + 0 + ] + ] + }, + { + "finalEvalProof": [ + 1 + ], + "partialSumPolys": [ + [ + -3, + -16 + ] + ] + }, + { + "finalEvalProof": [ + 1 + ], + "partialSumPolys": [ + [ + -3, + -16 + ] + ] + } + ] +} \ No newline at end of file diff --git a/std/recursion/gkr/test_vectors/single_input_two_outs_two_instances.json b/std/recursion/gkr/test_vectors/single_input_two_outs_two_instances.json new file mode 100644 index 0000000000..d348303d0e --- /dev/null +++ b/std/recursion/gkr/test_vectors/single_input_two_outs_two_instances.json @@ -0,0 +1,57 @@ +{ + "hash": { + "type": "const", + "val": -1 + }, + "circuit": "resources/single_input_two_outs.json", + "input": [ + [ + 1, + 2 + ] + ], + "output": [ + [ + 1, + 4 + ], + [ + 1, + 2 + ] + ], + "proof": [ + { + "finalEvalProof": [], + "partialSumPolys": [ + [ + 0, + 0 + ] + ] + }, + { + "finalEvalProof": [ + 0 + ], + "partialSumPolys": [ + [ + -4, + -36, + -112 + ] + ] + }, + { + "finalEvalProof": [ + 0 + ], + "partialSumPolys": [ + [ + -2, + -12 + ] + ] + } + ] +} \ No newline at end of file diff --git a/std/recursion/gkr/test_vectors/single_mimc_gate_four_instances.json b/std/recursion/gkr/test_vectors/single_mimc_gate_four_instances.json new file mode 100644 index 0000000000..525459ecb1 --- /dev/null +++ b/std/recursion/gkr/test_vectors/single_mimc_gate_four_instances.json @@ -0,0 +1,67 @@ +{ + "hash": { + "type": "const", + "val": -1 + }, + "circuit": "resources/single_mimc_gate.json", + "input": [ + [ + 1, + 1, + 2, + 1 + ], + [ + 1, + 2, + 2, + 1 + ] + ], + "output": [ + [ + 128, + 2187, + 16384, + 128 + ] + ], + "proof": [ + { + "finalEvalProof": [], + "partialSumPolys": [] + }, + { + "finalEvalProof": [], + "partialSumPolys": [] + }, + { + "finalEvalProof": [ + -1, + -3 + ], + "partialSumPolys": [ + [ + -32640, + -2239484, + -29360128, + "-200000010", + "-931628672", + "-3373267120", + "-10200858624", + "-26939400158" + ], + [ + -81920, + -41943040, + "-1254113280", + "-13421772800", + "-83200000000", + "-366917713920", + "-1281828208640", + "-3779571220480" + ] + ] + } + ] +} \ No newline at end of file diff --git a/std/recursion/gkr/test_vectors/single_mimc_gate_two_instances.json b/std/recursion/gkr/test_vectors/single_mimc_gate_two_instances.json new file mode 100644 index 0000000000..7fa23ce4b1 --- /dev/null +++ b/std/recursion/gkr/test_vectors/single_mimc_gate_two_instances.json @@ -0,0 +1,51 @@ +{ + "hash": { + "type": "const", + "val": -1 + }, + "circuit": "resources/single_mimc_gate.json", + "input": [ + [ + 1, + 1 + ], + [ + 1, + 2 + ] + ], + "output": [ + [ + 128, + 2187 + ] + ], + "proof": [ + { + "finalEvalProof": [], + "partialSumPolys": [] + }, + { + "finalEvalProof": [], + "partialSumPolys": [] + }, + { + "finalEvalProof": [ + 1, + 0 + ], + "partialSumPolys": [ + [ + -2187, + -65536, + -546875, + -2799360, + -10706059, + -33554432, + -90876411, + "-220000000" + ] + ] + } + ] +} \ No newline at end of file diff --git a/std/recursion/gkr/test_vectors/single_mul_gate_two_instances.json b/std/recursion/gkr/test_vectors/single_mul_gate_two_instances.json new file mode 100644 index 0000000000..75c1d59c3d --- /dev/null +++ b/std/recursion/gkr/test_vectors/single_mul_gate_two_instances.json @@ -0,0 +1,46 @@ +{ + "hash": { + "type": "const", + "val": -1 + }, + "circuit": "resources/single_mul_gate.json", + "input": [ + [ + 4, + 3 + ], + [ + 2, + 3 + ] + ], + "output": [ + [ + 8, + 9 + ] + ], + "proof": [ + { + "finalEvalProof": [], + "partialSumPolys": [] + }, + { + "finalEvalProof": [], + "partialSumPolys": [] + }, + { + "finalEvalProof": [ + 5, + 1 + ], + "partialSumPolys": [ + [ + -9, + -32, + -35 + ] + ] + } + ] +} \ No newline at end of file diff --git a/std/recursion/gkr/test_vectors/two_identity_gates_composed_single_input_two_instances.json b/std/recursion/gkr/test_vectors/two_identity_gates_composed_single_input_two_instances.json new file mode 100644 index 0000000000..10e5f1ff3c --- /dev/null +++ b/std/recursion/gkr/test_vectors/two_identity_gates_composed_single_input_two_instances.json @@ -0,0 +1,47 @@ +{ + "hash": { + "type": "const", + "val": -1 + }, + "circuit": "resources/two_identity_gates_composed_single_input.json", + "input": [ + [ + 2, + 1 + ] + ], + "output": [ + [ + 2, + 1 + ] + ], + "proof": [ + { + "finalEvalProof": [], + "partialSumPolys": [] + }, + { + "finalEvalProof": [ + 3 + ], + "partialSumPolys": [ + [ + -1, + 0 + ] + ] + }, + { + "finalEvalProof": [ + 3 + ], + "partialSumPolys": [ + [ + -1, + 0 + ] + ] + } + ] +} \ No newline at end of file diff --git a/std/recursion/gkr/test_vectors/two_inputs_select-input-3_gate_two_instances.json b/std/recursion/gkr/test_vectors/two_inputs_select-input-3_gate_two_instances.json new file mode 100644 index 0000000000..19e127df71 --- /dev/null +++ b/std/recursion/gkr/test_vectors/two_inputs_select-input-3_gate_two_instances.json @@ -0,0 +1,45 @@ +{ + "hash": { + "type": "const", + "val": -1 + }, + "circuit": "resources/two_inputs_select-input-3_gate.json", + "input": [ + [ + 0, + 1 + ], + [ + 2, + 3 + ] + ], + "output": [ + [ + 2, + 3 + ] + ], + "proof": [ + { + "finalEvalProof": [], + "partialSumPolys": [] + }, + { + "finalEvalProof": [], + "partialSumPolys": [] + }, + { + "finalEvalProof": [ + -1, + 1 + ], + "partialSumPolys": [ + [ + -3, + -16 + ] + ] + } + ] +} \ No newline at end of file diff --git a/std/recursion/sumcheck/arithengine.go b/std/recursion/sumcheck/arithengine.go index e0501b79d3..80edf3a0e9 100644 --- a/std/recursion/sumcheck/arithengine.go +++ b/std/recursion/sumcheck/arithengine.go @@ -30,6 +30,18 @@ type bigIntEngine struct { // TODO: we should also add pools for more efficient memory management. } +// BigIntEngineWrapper is an exported wrapper for bigIntEngine. +type BigIntEngineWrapper struct { + Engine *bigIntEngine +} + +// NewBigIntEngineWrapper creates a new BigIntEngineWrapper with the given modulus. +func NewBigIntEngineWrapper(mod *big.Int) *BigIntEngineWrapper { + return &BigIntEngineWrapper{ + Engine: NewBigIntEngine(mod), + } +} + func (be *bigIntEngine) Add(a, b *big.Int) *big.Int { dst := new(big.Int) dst.Add(a, b) @@ -59,7 +71,7 @@ func (be *bigIntEngine) Const(i *big.Int) *big.Int { return new(big.Int).Set(i) } -func newBigIntEngine(mod *big.Int) *bigIntEngine { +func NewBigIntEngine(mod *big.Int) *bigIntEngine { return &bigIntEngine{mod: new(big.Int).Set(mod)} } @@ -76,19 +88,10 @@ func (ee *emuEngine[FR]) Mul(a, b *emulated.Element[FR]) *emulated.Element[FR] { return ee.f.Mul(a, b) } -//todo fix this -func (ee *emuEngine[FR]) MulAcc(a, b, c *emulated.Element[FR]) *emulated.Element[FR] { - return ee.f.Mul(a, b) -} - func (ee *emuEngine[FR]) Sub(a, b *emulated.Element[FR]) *emulated.Element[FR] { return ee.f.Sub(a, b) } -func (ee *emuEngine[FR]) Div(a, b *emulated.Element[FR]) *emulated.Element[FR] { - return ee.f.Div(a, b) -} - func (ee *emuEngine[FR]) One() *emulated.Element[FR] { return ee.f.One() } @@ -97,10 +100,6 @@ func (ee *emuEngine[FR]) Const(i *big.Int) *emulated.Element[FR] { return ee.f.NewElement(i) } -func (ee *emuEngine[FR]) AssertIsEqual(a, b *emulated.Element[FR]) { - ee.f.AssertIsEqual(a, b) -} - func newEmulatedEngine[FR emulated.FieldParams](api frontend.API) (*emuEngine[FR], error) { f, err := emulated.NewField[FR](api) if err != nil { diff --git a/std/recursion/sumcheck/challenge.go b/std/recursion/sumcheck/challenge.go index ba105ece37..3a8759e346 100644 --- a/std/recursion/sumcheck/challenge.go +++ b/std/recursion/sumcheck/challenge.go @@ -25,7 +25,7 @@ func getChallengeNames(prefix string, nbClaims int, nbVars int) []string { } // bindChallengeProver binds the values for challengeName using native Fiat-Shamir transcript. -func bindChallengeProver(fs *cryptofiatshamir.Transcript, challengeName string, values []*big.Int) error { +func BindChallengeProver(fs *cryptofiatshamir.Transcript, challengeName string, values []*big.Int) error { for i := range values { buf := make([]byte, 32) values[i].FillBytes(buf) @@ -39,8 +39,8 @@ func bindChallengeProver(fs *cryptofiatshamir.Transcript, challengeName string, // deriveChallengeProver binds the values for challengeName and then returns the // challenge using native Fiat-Shamir transcript. It also returns the rest of // the challenge names for used in the protocol. -func deriveChallengeProver(fs *cryptofiatshamir.Transcript, challengeNames []string, values []*big.Int) (challenge *big.Int, restChallengeNames []string, err error) { - if err = bindChallengeProver(fs, challengeNames[0], values); err != nil { +func DeriveChallengeProver(fs *cryptofiatshamir.Transcript, challengeNames []string, values []*big.Int) (challenge *big.Int, restChallengeNames []string, err error) { + if err = BindChallengeProver(fs, challengeNames[0], values); err != nil { return nil, nil, fmt.Errorf("bind: %w", err) } nativeChallenge, err := fs.ComputeChallenge(challengeNames[0]) diff --git a/std/recursion/sumcheck/claim_intf.go b/std/recursion/sumcheck/claim_intf.go index 3511ac39a7..a71bb66d36 100644 --- a/std/recursion/sumcheck/claim_intf.go +++ b/std/recursion/sumcheck/claim_intf.go @@ -3,9 +3,7 @@ package sumcheck import ( "math/big" - "github.com/consensys/gnark/frontend" "github.com/consensys/gnark/std/math/emulated" - "github.com/consensys/gnark/std/polynomial" ) // LazyClaims allows to verify the sumcheck proof by allowing different final evaluations. @@ -30,44 +28,12 @@ type claims interface { NbVars() int // Combine combines separate claims into a single sumcheckable claim using // the coefficient coeff. - Combine(coeff *big.Int) nativePolynomial + Combine(coeff *big.Int) NativePolynomial // Next fixes the next free variable to r, keeps the next variable free and // sums over a hypercube for the last variables. Instead of returning the // polynomial in coefficient form, it returns the evaluations at degree // different points. - Next(r *big.Int) nativePolynomial + Next(r *big.Int) NativePolynomial // ProverFinalEval returns the (lazy) evaluation proof. - ProverFinalEval(r []*big.Int) nativeEvaluationProof -} - -// claims is the interface for the claimable function for proving. -type claimsVar interface { - // NbClaims is the number of parallel sumcheck proofs. If larger than one then sumcheck verifier computes a challenge for combining the claims. - NbClaims() int - // NbVars is the number of variables for the evaluatable function. Defines the number of rounds in the sumcheck protocol. - NbVars() int - // Combine combines separate claims into a single sumcheckable claim using - // the coefficient coeff. - Combine(api frontend.API, coeff *frontend.Variable) polynomial.Polynomial - // Next fixes the next free variable to r, keeps the next variable free and - // sums over a hypercube for the last variables. Instead of returning the - // polynomial in coefficient form, it returns the evaluations at degree - // different points. - Next(api frontend.API, r *frontend.Variable) polynomial.Polynomial - // ProverFinalEval returns the (lazy) evaluation proof. - ProverFinalEval(api frontend.API, r []frontend.Variable) nativeEvaluationProof -} - -// LazyClaims allows to verify the sumcheck proof by allowing different final evaluations. -type LazyClaimsVar[FR emulated.FieldParams] interface { - // NbClaims is the number of parallel sumcheck proofs. If larger than one then sumcheck verifier computes a challenge for combining the claims. - NbClaims() int - // NbVars is the number of variables for the evaluatable function. Defines the number of rounds in the sumcheck protocol. - NbVars() int - // CombinedSum returns the folded claim for parallel verification. - CombinedSum(coeff *emulated.Element[FR]) *emulated.Element[FR] - // Degree returns the maximum degree of the variable i-th variable. - Degree(i int) int - // AssertEvaluation (lazily) asserts the correctness of the evaluation value expectedValue of the claim at r. - VerifyFinalEval(r []emulated.Element[FR], combinationCoeff, purportedValue emulated.Element[FR], proof EvaluationProofFr[FR]) error + ProverFinalEval(r []*big.Int) NativeEvaluationProof } \ No newline at end of file diff --git a/std/recursion/sumcheck/claimable_gate.go b/std/recursion/sumcheck/claimable_gate.go index 04884388ee..5122319641 100644 --- a/std/recursion/sumcheck/claimable_gate.go +++ b/std/recursion/sumcheck/claimable_gate.go @@ -163,13 +163,13 @@ type nativeGateClaim struct { // multi-instance input id to the instance value. This allows running // sumcheck over the hypercube. Every element in the slice represents the // input. - inputPreprocessors []nativeMultilinear + inputPreprocessors []NativeMultilinear - eq nativeMultilinear + eq NativeMultilinear } func newNativeGate(target *big.Int, gate gate[*bigIntEngine, *big.Int], inputs [][]*big.Int, evaluationPoints [][]*big.Int) (claim claims, evaluations []*big.Int, err error) { - be := newBigIntEngine(target) + be := &bigIntEngine{mod: new(big.Int).Set(target)} nbInputs := gate.NbInputs() if len(inputs) != nbInputs { return nil, nil, fmt.Errorf("expected %d inputs got %d", nbInputs, len(inputs)) @@ -184,7 +184,7 @@ func newNativeGate(target *big.Int, gate gate[*bigIntEngine, *big.Int], inputs [ evalInput := make([][]*big.Int, nbInstances) // TODO: pad input to power of two for i := range evalInput { - evalInput[i] = make(nativeMultilinear, nbInputs) + evalInput[i] = make(NativeMultilinear, nbInputs) for j := range evalInput[i] { evalInput[i][j] = new(big.Int).Set(inputs[j][i]) } @@ -196,9 +196,9 @@ func newNativeGate(target *big.Int, gate gate[*bigIntEngine, *big.Int], inputs [ evaluations[i] = gate.Evaluate(be, evalInput[i]...) } // construct the mapping (inputIdx, instanceIdx) -> inputVal - inputPreprocessors := make([]nativeMultilinear, nbInputs) + inputPreprocessors := make([]NativeMultilinear, nbInputs) for i := range inputs { - inputPreprocessors[i] = make(nativeMultilinear, nbInstances) + inputPreprocessors[i] = make(NativeMultilinear, nbInstances) for j := range inputs[i] { inputPreprocessors[i][j] = new(big.Int).Set(inputs[i][j]) } @@ -211,7 +211,7 @@ func newNativeGate(target *big.Int, gate gate[*bigIntEngine, *big.Int], inputs [ // compute the random linear combinations of the evaluation values of the gate claimedEvaluations := make([]*big.Int, len(evaluationPoints)) for i := range claimedEvaluations { - claimedEvaluations[i] = eval(be, evaluations, evaluationPoints[i]) + claimedEvaluations[i] = Eval(be, evaluations, evaluationPoints[i]) } return &nativeGateClaim{ engine: be, @@ -231,19 +231,19 @@ func (g *nativeGateClaim) NbVars() int { return len(g.evaluationPoints[0]) } -func (g *nativeGateClaim) Combine(coeff *big.Int) nativePolynomial { +func (g *nativeGateClaim) Combine(coeff *big.Int) NativePolynomial { nbVars := g.NbVars() eqLength := 1 << nbVars nbClaims := g.NbClaims() - g.eq = make(nativeMultilinear, eqLength) + g.eq = make(NativeMultilinear, eqLength) g.eq[0] = g.engine.One() for i := 1; i < eqLength; i++ { g.eq[i] = new(big.Int) } - g.eq = eq(g.engine, g.eq, g.evaluationPoints[0]) + g.eq = Eq(g.engine, g.eq, g.evaluationPoints[0]) - newEq := make(nativeMultilinear, eqLength) + newEq := make(NativeMultilinear, eqLength) for i := 1; i < eqLength; i++ { newEq[i] = new(big.Int) } @@ -260,32 +260,32 @@ func (g *nativeGateClaim) Combine(coeff *big.Int) nativePolynomial { return g.computeGJ() } -func (g *nativeGateClaim) Next(r *big.Int) nativePolynomial { +func (g *nativeGateClaim) Next(r *big.Int) NativePolynomial { for i := range g.inputPreprocessors { - g.inputPreprocessors[i] = fold(g.engine, g.inputPreprocessors[i], r) + g.inputPreprocessors[i] = Fold(g.engine, g.inputPreprocessors[i], r) } - g.eq = fold(g.engine, g.eq, r) + g.eq = Fold(g.engine, g.eq, r) return g.computeGJ() } -func (g *nativeGateClaim) ProverFinalEval(r []*big.Int) nativeEvaluationProof { +func (g *nativeGateClaim) ProverFinalEval(r []*big.Int) NativeEvaluationProof { // verifier computes the value of the gate (times the eq) itself return nil } -func (g *nativeGateClaim) computeGJ() nativePolynomial { +func (g *nativeGateClaim) computeGJ() NativePolynomial { // returns the polynomial GJ through its evaluations degGJ := 1 + g.gate.Degree() nbGateIn := len(g.inputPreprocessors) - s := make([]nativeMultilinear, nbGateIn+1) + s := make([]NativeMultilinear, nbGateIn+1) s[0] = g.eq copy(s[1:], g.inputPreprocessors) nbInner := len(s) nbOuter := len(s[0]) / 2 - gJ := make(nativePolynomial, degGJ) + gJ := make(NativePolynomial, degGJ) for i := range gJ { gJ[i] = new(big.Int) } diff --git a/std/recursion/sumcheck/claimable_multilinear.go b/std/recursion/sumcheck/claimable_multilinear.go index c73395514f..261cc5d126 100644 --- a/std/recursion/sumcheck/claimable_multilinear.go +++ b/std/recursion/sumcheck/claimable_multilinear.go @@ -71,7 +71,7 @@ func newNativeMultilinearClaim(target *big.Int, ml []*big.Int) (claim claims, hy if bits.OnesCount(uint(len(ml))) != 1 { return nil, nil, fmt.Errorf("expecting power of two coeffs") } - be := newBigIntEngine(target) + be := NewBigIntEngine(target) hypersum = new(big.Int) for i := range ml { hypersum = be.Add(hypersum, ml[i]) @@ -91,16 +91,16 @@ func (fn *nativeMultilinearClaim) NbVars() int { return bits.Len(uint(len(fn.ml))) - 1 } -func (fn *nativeMultilinearClaim) Combine(coeff *big.Int) nativePolynomial { +func (fn *nativeMultilinearClaim) Combine(coeff *big.Int) NativePolynomial { return []*big.Int{hypersumX1One(fn.be, fn.ml)} } -func (fn *nativeMultilinearClaim) Next(r *big.Int) nativePolynomial { - fn.ml = fold(fn.be, fn.ml, r) +func (fn *nativeMultilinearClaim) Next(r *big.Int) NativePolynomial { + fn.ml = Fold(fn.be, fn.ml, r) return []*big.Int{hypersumX1One(fn.be, fn.ml)} } -func (fn *nativeMultilinearClaim) ProverFinalEval(r []*big.Int) nativeEvaluationProof { +func (fn *nativeMultilinearClaim) ProverFinalEval(r []*big.Int) NativeEvaluationProof { // verifier computes the value of the multilinear function itself return nil } diff --git a/std/recursion/sumcheck/polynomial.go b/std/recursion/sumcheck/polynomial.go index 2025b2329d..d7401d8b95 100644 --- a/std/recursion/sumcheck/polynomial.go +++ b/std/recursion/sumcheck/polynomial.go @@ -4,12 +4,28 @@ import ( "math/big" ) -type nativePolynomial []*big.Int -type nativeMultilinear []*big.Int +type NativePolynomial []*big.Int +type NativeMultilinear []*big.Int // helper functions for multilinear polynomial evaluations -func fold(api *bigIntEngine, ml nativeMultilinear, r *big.Int) nativeMultilinear { +func DereferenceBigIntSlice(ptrs []*big.Int) []big.Int { + vals := make([]big.Int, len(ptrs)) + for i, ptr := range ptrs { + vals[i] = *ptr + } + return vals +} + +func ReferenceBigIntSlice(vals []big.Int) []*big.Int { + ptrs := make([]*big.Int, len(vals)) + for i := range ptrs { + ptrs[i] = &vals[i] + } + return ptrs +} + +func Fold(api *bigIntEngine, ml NativeMultilinear, r *big.Int) NativeMultilinear { // NB! it modifies ml in-place and also returns mid := len(ml) / 2 bottom, top := ml[:mid], ml[mid:] @@ -22,7 +38,7 @@ func fold(api *bigIntEngine, ml nativeMultilinear, r *big.Int) nativeMultilinear return ml[:mid] } -func hypersumX1One(api *bigIntEngine, ml nativeMultilinear) *big.Int { +func hypersumX1One(api *bigIntEngine, ml NativeMultilinear) *big.Int { sum := ml[len(ml)/2] for i := len(ml)/2 + 1; i < len(ml); i++ { sum = api.Add(sum, ml[i]) @@ -30,7 +46,7 @@ func hypersumX1One(api *bigIntEngine, ml nativeMultilinear) *big.Int { return sum } -func eq(api *bigIntEngine, ml nativeMultilinear, q []*big.Int) nativeMultilinear { +func Eq(api *bigIntEngine, ml NativeMultilinear, q []*big.Int) NativeMultilinear { if (1 << len(q)) != len(ml) { panic("scalar length mismatch") } @@ -46,20 +62,20 @@ func eq(api *bigIntEngine, ml nativeMultilinear, q []*big.Int) nativeMultilinear return ml } -func eval(api *bigIntEngine, ml nativeMultilinear, r []*big.Int) *big.Int { - mlCopy := make(nativeMultilinear, len(ml)) +func Eval(api *bigIntEngine, ml NativeMultilinear, r []*big.Int) *big.Int { + mlCopy := make(NativeMultilinear, len(ml)) for i := range mlCopy { mlCopy[i] = new(big.Int).Set(ml[i]) } for _, ri := range r { - mlCopy = fold(api, mlCopy, ri) + mlCopy = Fold(api, mlCopy, ri) } return mlCopy[0] } -func eqAcc(api *bigIntEngine, e nativeMultilinear, m nativeMultilinear, q []*big.Int) nativeMultilinear { +func eqAcc(api *bigIntEngine, e NativeMultilinear, m NativeMultilinear, q []*big.Int) NativeMultilinear { if len(e) != len(m) { panic("length mismatch") } @@ -82,85 +98,4 @@ func eqAcc(api *bigIntEngine, e nativeMultilinear, m nativeMultilinear, q []*big e[i] = api.Add(e[i], m[i]) } return e -} - -// func (m nonNativeMultilinear[FR]) Clone() nonNativeMultilinear[FR] { -// clone := make(nonNativeMultilinear[FR], len(m)) -// for i := range m { -// clone[i] = new(emulated.Element[FR]) -// *clone[i] = *m[i] -// } -// return clone -// } - -// // fold fixes the value of m's first variable to at, thus halving m's required bookkeeping table size -// // WARNING: The user should halve m themselves after the call -// func (m nonNativeMultilinear[FR]) fold(api emuEngine[FR], at emulated.Element[FR]) { -// zero := m[:len(m)/2] -// one := m[len(m)/2:] -// for j := range zero { -// diff := api.Sub(one[j], zero[j]) -// zero[j] = api.MulAcc(zero[j], diff, &at) -// } -// } - -// // foldScaled(m, at) = fold(m, at) / (1 - at) -// // it returns 1 - at, for convenience -// func (m nonNativeMultilinear[FR]) foldScaled(api emuEngine[FR], at emulated.Element[FR]) (denom emulated.Element[FR]) { -// denom = *api.Sub(api.One(), &at) -// coeff := *api.Div(&at, &denom) -// zero := m[:len(m)/2] -// one := m[len(m)/2:] -// for j := range zero { -// zero[j] = api.MulAcc(zero[j], one[j], &coeff) -// } -// return -// } - -// var minFoldScaledLogSize = 16 - -// // Evaluate assumes len(m) = 1 << len(at) -// // it doesn't modify m -// func (m nonNativeMultilinear[FR]) EvaluateFR(api emuEngine[FR], at []emulated.Element[FR]) emulated.Element[FR] { -// _m := m.Clone() - -// /*minFoldScaledLogSize := 16 -// if api is r1cs { -// minFoldScaledLogSize = math.MaxInt64 // no scaling for r1cs -// }*/ - -// scaleCorrectionFactor := api.One() -// // at each iteration fold by at[i] -// for len(_m) > 1 { -// if len(_m) >= minFoldScaledLogSize { -// denom := _m.foldScaled(api, at[0]) -// scaleCorrectionFactor = api.Mul(scaleCorrectionFactor, &denom) -// } else { -// _m.fold(api, at[0]) -// } -// _m = _m[:len(_m)/2] -// at = at[1:] -// } - -// if len(at) != 0 { -// panic("incompatible evaluation vector size") -// } - -// return *api.Mul(_m[0], scaleCorrectionFactor) -// } - -// // EvalEq returns Πⁿ₁ Eq(xᵢ, yᵢ) = Πⁿ₁ xᵢyᵢ + (1-xᵢ)(1-yᵢ) = Πⁿ₁ (1 + 2xᵢyᵢ - xᵢ - yᵢ). Is assumes len(x) = len(y) =: n -// func EvalEqFR[FR emulated.FieldParams](api emuEngine[FR], x, y []emulated.Element[FR]) (eq emulated.Element[FR]) { - -// eq = *api.One() -// for i := range x { -// next := api.Mul(&x[i], &y[i]) -// next = api.Add(next, next) -// next = api.Add(next, api.One()) -// next = api.Sub(next, &x[i]) -// next = api.Sub(next, &y[i]) - -// eq = *api.Mul(&eq, next) -// } -// return -// } \ No newline at end of file +} \ No newline at end of file diff --git a/std/recursion/sumcheck/proof.go b/std/recursion/sumcheck/proof.go index e2c5da350b..1533539eb8 100644 --- a/std/recursion/sumcheck/proof.go +++ b/std/recursion/sumcheck/proof.go @@ -3,7 +3,6 @@ package sumcheck import ( "github.com/consensys/gnark/std/math/emulated" "github.com/consensys/gnark/std/math/polynomial" - polynative "github.com/consensys/gnark/std/polynomial" ) // Proof contains the prover messages in the sumcheck protocol. @@ -12,22 +11,12 @@ type Proof[FR emulated.FieldParams] struct { RoundPolyEvaluations []polynomial.Univariate[FR] // FinalEvalProof is the witness for helping the verifier to compute the // final round of the sumcheck protocol. - FinalEvalProof EvaluationProof + FinalEvalProof DeferredEvalProof[FR] } -type nativeProof struct { - RoundPolyEvaluations []nativePolynomial - FinalEvalProof nativeEvaluationProof -} - -type nativeProofGKR struct { - PartialSumPolys []polynative.Polynomial - FinalEvalProof nativeEvaluationProof -} - -type nonNativeProofGKR[FR emulated.FieldParams] struct { - PartialSumPolys []polynomial.Univariate[FR] - FinalEvalProof EvaluationProofFr[FR] +type NativeProof struct { + RoundPolyEvaluations []NativePolynomial + FinalEvalProof NativeEvaluationProof } // EvaluationProof is proof for allowing the sumcheck verifier to perform the @@ -38,11 +27,12 @@ type nonNativeProofGKR[FR emulated.FieldParams] struct { // - if it is deferred, then it is a slice. type EvaluationProof any -type EvaluationProofFr[FR emulated.FieldParams] []emulated.Element[FR] +// evaluationProof for gkr +type DeferredEvalProof[FR emulated.FieldParams] []emulated.Element[FR] -type nativeEvaluationProof any +type NativeEvaluationProof any -func valueOfProof[FR emulated.FieldParams](nproof nativeProof) Proof[FR] { +func valueOfProof[FR emulated.FieldParams](nproof NativeProof) Proof[FR] { rps := make([]polynomial.Univariate[FR], len(nproof.RoundPolyEvaluations)) for i := range nproof.RoundPolyEvaluations { rps[i] = polynomial.ValueOfUnivariate[FR](nproof.RoundPolyEvaluations[i]) diff --git a/std/recursion/sumcheck/prover.go b/std/recursion/sumcheck/prover.go index bbf2ac0c15..5001c0336c 100644 --- a/std/recursion/sumcheck/prover.go +++ b/std/recursion/sumcheck/prover.go @@ -3,14 +3,8 @@ package sumcheck import ( "fmt" "math/big" - "slices" - "strconv" fiatshamir "github.com/consensys/gnark-crypto/fiat-shamir" - "github.com/consensys/gnark/frontend" - fiatshamirGnark "github.com/consensys/gnark/std/fiat-shamir" - "github.com/consensys/gnark/std/math/bits" - "github.com/consensys/gnark/std/polynomial" "github.com/consensys/gnark/std/recursion" ) @@ -38,8 +32,8 @@ func newProverConfig(opts ...proverOption) (*proverConfig, error) { return ret, nil } -func prove(current *big.Int, target *big.Int, claims claims, opts ...proverOption) (nativeProof, error) { - var proof nativeProof +func Prove(current *big.Int, target *big.Int, claims claims, opts ...proverOption) (NativeProof, error) { + var proof NativeProof cfg, err := newProverConfig(opts...) if err != nil { return proof, fmt.Errorf("parse options: %w", err) @@ -54,20 +48,20 @@ func prove(current *big.Int, target *big.Int, claims claims, opts ...proverOptio return proof, fmt.Errorf("new transcript: %w", err) } // bind challenge from previous round if it is a continuation - if err = bindChallengeProver(fs, challengeNames[0], cfg.baseChallenges); err != nil { + if err = BindChallengeProver(fs, challengeNames[0], cfg.baseChallenges); err != nil { return proof, fmt.Errorf("base: %w", err) } combinationCoef := big.NewInt(0) if claims.NbClaims() >= 2 { - if combinationCoef, challengeNames, err = deriveChallengeProver(fs, challengeNames, nil); err != nil { + if combinationCoef, challengeNames, err = DeriveChallengeProver(fs, challengeNames, nil); err != nil { return proof, fmt.Errorf("derive combination coef: %w", err) } } // in sumcheck we run a round for every variable. So the number of variables // defines the number of rounds. nbVars := claims.NbVars() - proof.RoundPolyEvaluations = make([]nativePolynomial, nbVars) + proof.RoundPolyEvaluations = make([]NativePolynomial, nbVars) // the first round in the sumcheck is without verifier challenge. Combine challenges and provers sends the first polynomial proof.RoundPolyEvaluations[0] = claims.Combine(combinationCoef) @@ -77,14 +71,14 @@ func prove(current *big.Int, target *big.Int, claims claims, opts ...proverOptio // final evaluation is possibly deferred. for j := 0; j < nbVars-1; j++ { // compute challenge for the next round - if challenges[j], challengeNames, err = deriveChallengeProver(fs, challengeNames, proof.RoundPolyEvaluations[j]); err != nil { + if challenges[j], challengeNames, err = DeriveChallengeProver(fs, challengeNames, proof.RoundPolyEvaluations[j]); err != nil { return proof, fmt.Errorf("derive challenge: %w", err) } // compute the univariate polynomial with first j variables fixed. proof.RoundPolyEvaluations[j+1] = claims.Next(challenges[j]) } - if challenges[nbVars-1], challengeNames, err = deriveChallengeProver(fs, challengeNames, proof.RoundPolyEvaluations[nbVars-1]); err != nil { + if challenges[nbVars-1], challengeNames, err = DeriveChallengeProver(fs, challengeNames, proof.RoundPolyEvaluations[nbVars-1]); err != nil { return proof, fmt.Errorf("derive challenge: %w", err) } if len(challengeNames) > 0 { @@ -92,93 +86,5 @@ func prove(current *big.Int, target *big.Int, claims claims, opts ...proverOptio } proof.FinalEvalProof = claims.ProverFinalEval(challenges) - return proof, nil -} - -// todo change this bind as limbs instead of bits, ask @arya if necessary -// bindChallenge binds the values for challengeName using in-circuit Fiat-Shamir transcript. -func bindChallenge(api frontend.API, targetModulus *big.Int, fs *fiatshamirGnark.Transcript, challengeName string, values []frontend.Variable) error { - for i := range values { - bts := bits.ToBinary(api, values[i], bits.WithNbDigits(targetModulus.BitLen())) - slices.Reverse(bts) - if err := fs.Bind(challengeName, bts); err != nil { - return fmt.Errorf("bind challenge %s %d: %w", challengeName, i, err) - } - } - return nil -} - -func setupTranscript(api frontend.API, targetModulus *big.Int, claimsNum int, varsNum int, settings *fiatshamirGnark.Settings) ([]string, error) { - - numChallenges := varsNum - if claimsNum >= 2 { - numChallenges++ - } - challengeNames := make([]string, numChallenges) - if claimsNum >= 2 { - challengeNames[0] = settings.Prefix + "comb" - } - prefix := settings.Prefix + "pSP." - for i := 0; i < varsNum; i++ { - challengeNames[i+numChallenges-varsNum] = prefix + strconv.Itoa(i) - } - // todo check if settings.Transcript is nil - if settings.Transcript == nil { - var err error - settings.Transcript, err = recursion.NewTranscript(api, targetModulus, challengeNames) // not passing settings.hash check - if err != nil { - return nil, err - } - } - - return challengeNames, bindChallenge(api, targetModulus, settings.Transcript, challengeNames[0], settings.BaseChallenges) -} - -func next(transcript *fiatshamirGnark.Transcript, bindings []frontend.Variable, remainingChallengeNames *[]string) (frontend.Variable, error) { - challengeName := (*remainingChallengeNames)[0] - if err := transcript.Bind(challengeName, bindings); err != nil { - return nil, err - } - - res, err := transcript.ComputeChallenge(challengeName) - *remainingChallengeNames = (*remainingChallengeNames)[1:] - return res, err -} - -// Prove create a non-interactive sumcheck proof -func SumcheckProve(api frontend.API, targetModulus *big.Int, claims claimsVar, transcriptSettings fiatshamirGnark.Settings) (nativeProofGKR, error) { - - var proof nativeProofGKR - remainingChallengeNames, err := setupTranscript(api, targetModulus, claims.NbClaims(), claims.NbVars(), &transcriptSettings) - transcript := transcriptSettings.Transcript - if err != nil { - return proof, err - } - - var combinationCoeff frontend.Variable - if claims.NbClaims() >= 2 { - if combinationCoeff, err = next(transcript, []frontend.Variable{}, &remainingChallengeNames); err != nil { - return proof, err - } - } - - varsNum := claims.NbVars() - proof.PartialSumPolys = make([]polynomial.Polynomial, varsNum) - proof.PartialSumPolys[0] = claims.Combine(api, &combinationCoeff) - challenges := make([]frontend.Variable, varsNum) - - for j := 0; j+1 < varsNum; j++ { - if challenges[j], err = next(transcript, proof.PartialSumPolys[j], &remainingChallengeNames); err != nil { - return proof, err - } - proof.PartialSumPolys[j+1] = claims.Next(api, &challenges[j]) - } - - if challenges[varsNum-1], err = next(transcript, proof.PartialSumPolys[varsNum-1], &remainingChallengeNames); err != nil { - return proof, err - } - - proof.FinalEvalProof = claims.ProverFinalEval(api, challenges) - return proof, nil } \ No newline at end of file diff --git a/std/recursion/sumcheck/scalarmul_gates_test.go b/std/recursion/sumcheck/scalarmul_gates_test.go index 30ff77e1ad..689545f3c1 100644 --- a/std/recursion/sumcheck/scalarmul_gates_test.go +++ b/std/recursion/sumcheck/scalarmul_gates_test.go @@ -126,7 +126,7 @@ func testProjAddSumCheckInstance[FR emulated.FieldParams](t *testing.T, current evalPointsB, evalPointsPH, evalPointsC := getChallengeEvaluationPoints[FR](inputB) claim, evals, err := newNativeGate(fr.Modulus(), nativeGate, inputB, evalPointsB) assert.NoError(err) - proof, err := prove(current, fr.Modulus(), claim) + proof, err := Prove(current, fr.Modulus(), claim) assert.NoError(err) nbVars := bits.Len(uint(len(inputs[0]))) - 1 circuit := &ProjAddSumcheckCircuit[FR]{ @@ -299,7 +299,7 @@ func TestDblAndAddGate(t *testing.T) { assert.True(ok) secpfp, ok := new(big.Int).SetString("fffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f", 16) assert.True(ok) - eng := newBigIntEngine(secpfp) + eng := NewBigIntEngine(secpfp) res := nativeGate.Evaluate(eng, px, py, big.NewInt(1), big.NewInt(0), big.NewInt(1), big.NewInt(0), big.NewInt(1)) t.Log(res) _ = res @@ -380,7 +380,7 @@ func testProjDblAddSelectSumCheckInstance[FR emulated.FieldParams](t *testing.T, evalPointsB, evalPointsPH, evalPointsC := getChallengeEvaluationPoints[FR](inputB) claim, evals, err := newNativeGate(fr.Modulus(), nativeGate, inputB, evalPointsB) assert.NoError(err) - proof, err := prove(current, fr.Modulus(), claim) + proof, err := Prove(current, fr.Modulus(), claim) assert.NoError(err) nbVars := bits.Len(uint(len(inputs[0]))) - 1 circuit := &ProjDblAddSelectSumcheckCircuit[FR]{ diff --git a/std/recursion/sumcheck/sumcheck_test.go b/std/recursion/sumcheck/sumcheck_test.go index 1127e46e88..e8bfd7ce90 100644 --- a/std/recursion/sumcheck/sumcheck_test.go +++ b/std/recursion/sumcheck/sumcheck_test.go @@ -46,7 +46,7 @@ func testMultilinearSumcheckInstance[FR emulated.FieldParams](t *testing.T, curr claim, value, err := newNativeMultilinearClaim(fr.Modulus(), mleB) assert.NoError(err) - proof, err := prove(current, fr.Modulus(), claim) + proof, err := Prove(current, fr.Modulus(), claim) assert.NoError(err) nbVars := bits.Len(uint(len(mle))) - 1 circuit := &MultilinearSumcheckCircuit[FR]{ @@ -157,7 +157,7 @@ func testMulGate1SumcheckInstance[FR emulated.FieldParams](t *testing.T, current evalPointsB, evalPointsPH, evalPointsC := getChallengeEvaluationPoints[FR](inputB) claim, evals, err := newNativeGate(fr.Modulus(), nativeGate, inputB, evalPointsB) assert.NoError(err) - proof, err := prove(current, fr.Modulus(), claim) + proof, err := Prove(current, fr.Modulus(), claim) assert.NoError(err) nbVars := bits.Len(uint(len(inputs[0]))) - 1 circuit := &MulGateSumcheck[FR]{ diff --git a/std/recursion/sumcheck/verifier.go b/std/recursion/sumcheck/verifier.go index 95732a90aa..3ab2399622 100644 --- a/std/recursion/sumcheck/verifier.go +++ b/std/recursion/sumcheck/verifier.go @@ -3,6 +3,7 @@ package sumcheck import ( "fmt" "strconv" + "github.com/consensys/gnark/frontend" fiatshamir "github.com/consensys/gnark/std/fiat-shamir" "github.com/consensys/gnark/std/math/emulated" @@ -214,7 +215,7 @@ func (v *Verifier[FR]) Verify(claims LazyClaims[FR], proof Proof[FR], opts ...Ve } // VerifyForGkr verifies the sumcheck proof for the given (lazy) claims. -func (v *Verifier[FR]) VerifyForGkr(claims LazyClaimsVar[FR], proof nonNativeProofGKR[FR], transcriptSettings fiatshamir.SettingsFr[FR]) error { +func (v *Verifier[FR]) VerifyForGkr(claims LazyClaims[FR], proof Proof[FR], transcriptSettings fiatshamir.SettingsFr[FR]) error { remainingChallengeNames, err := v.setupTranscript(claims.NbClaims(), claims.NbVars(), &transcriptSettings) transcript := transcriptSettings.Transcript @@ -240,13 +241,13 @@ func (v *Verifier[FR]) VerifyForGkr(claims LazyClaimsVar[FR], proof nonNativePro } } - gJ := make([]emulated.Element[FR], maxDegree+1) //At the end of iteration j, gJ = ∑_{i < 2ⁿ⁻ʲ⁻¹} g(X₁, ..., Xⱼ₊₁, i...) NOTE: n is shorthand for claims.VarsNum() + gJ := make([]emulated.Element[FR], maxDegree+1) //At the end of iteration j, gJ = ∑_{i < 2ⁿ⁻ʲ⁻¹} g(X₁, ..., Xⱼ₊₁, i...) NOTE: n is shorthand for claims.VarsNum() // gJR is the claimed value. In case of multiple claims it is combined // claimed value we're going to check against. gJR := claims.CombinedSum(&combinationCoef) for j := 0; j < claims.NbVars(); j++ { - partialSumPoly := proof.PartialSumPolys[j] //proof.PartialSumPolys(j) + partialSumPoly := proof.RoundPolyEvaluations[j] //proof.PartialSumPolys(j) if len(partialSumPoly) != claims.Degree(j) { return fmt.Errorf("malformed proof") //Malformed proof } @@ -255,12 +256,12 @@ func (v *Verifier[FR]) VerifyForGkr(claims LazyClaimsVar[FR], proof nonNativePro // gJ is ready //Prepare for the next iteration - if r[j], err = v.next(transcript, proof.PartialSumPolys[j], &remainingChallengeNames); err != nil { + if r[j], err = v.next(transcript, proof.RoundPolyEvaluations[j], &remainingChallengeNames); err != nil { return err } gJR = v.p.InterpolateLDE(&r[j], polynomial.FromSlice(gJ[:(claims.Degree(j)+1)])) } - return claims.VerifyFinalEval(r, combinationCoef, *gJR, proof.FinalEvalProof) -} \ No newline at end of file + return claims.AssertEvaluation(polynomial.FromSlice(r), &combinationCoef, gJR, proof.FinalEvalProof) +} diff --git a/std/sumcheck/sumcheck.go b/std/sumcheck/sumcheck.go index 6d5b95b572..de3689cbb8 100644 --- a/std/sumcheck/sumcheck.go +++ b/std/sumcheck/sumcheck.go @@ -14,7 +14,7 @@ type LazyClaims interface { ClaimsNum() int // ClaimsNum = m VarsNum() int // VarsNum = n CombinedSum(api frontend.API, a frontend.Variable) frontend.Variable // CombinedSum returns c = ∑_{1≤j≤m} aʲ⁻¹cⱼ - Degree(i int) int // Degree of the total claim in the i'th variable + Degree(i int) int //Degree of the total claim in the i'th variable VerifyFinalEval(api frontend.API, r []frontend.Variable, combinationCoeff, purportedValue frontend.Variable, proof interface{}) error } @@ -81,7 +81,7 @@ func Verify(api frontend.API, claims LazyClaims, proof Proof, transcriptSettings } } - gJ := make(polynomial.Polynomial, maxDegree+1) // At the end of iteration j, gJ = ∑_{i < 2ⁿ⁻ʲ⁻¹} g(X₁, ..., Xⱼ₊₁, i...) NOTE: n is shorthand for claims.VarsNum() + gJ := make(polynomial.Polynomial, maxDegree+1) //At the end of iteration j, gJ = ∑_{i < 2ⁿ⁻ʲ⁻¹} g(X₁, ..., Xⱼ₊₁, i...) NOTE: n is shorthand for claims.VarsNum() gJR := claims.CombinedSum(api, combinationCoeff) // At the beginning of iteration j, gJR = ∑_{i < 2ⁿ⁻ʲ} g(r₁, ..., rⱼ, i...) for j := 0; j < claims.VarsNum(); j++ { From a8917d9dc9709b10dc5a204f40edcd705f5ea868 Mon Sep 17 00:00:00 2001 From: ak36 Date: Mon, 17 Jun 2024 23:36:36 -0400 Subject: [PATCH 12/26] fixed ivo comments --- std/recursion/gkr/gkr_nonnative.go | 196 ++++++++---------- std/recursion/gkr/gkr_nonnative_test.go | 20 +- std/recursion/sumcheck/arithengine.go | 50 ++--- std/recursion/sumcheck/claimable_gate.go | 16 +- .../sumcheck/claimable_multilinear.go | 2 +- std/recursion/sumcheck/polynomial.go | 17 +- std/recursion/sumcheck/proof.go | 2 +- std/recursion/sumcheck/prover.go | 3 - .../sumcheck/scalarmul_gates_test.go | 20 +- std/recursion/sumcheck/sumcheck_test.go | 6 +- std/recursion/sumcheck/verifier.go | 114 ++-------- 11 files changed, 160 insertions(+), 286 deletions(-) diff --git a/std/recursion/gkr/gkr_nonnative.go b/std/recursion/gkr/gkr_nonnative.go index a7217968aa..9f1223eed1 100644 --- a/std/recursion/gkr/gkr_nonnative.go +++ b/std/recursion/gkr/gkr_nonnative.go @@ -29,7 +29,7 @@ import ( // Gate must be a low-degree polynomial type Gate interface { - Evaluate(...big.Int) big.Int // removed api ? + Evaluate(*sumcheck.BigIntEngine, ...*big.Int) *big.Int Degree() int } @@ -41,7 +41,7 @@ type Wire struct { // Gate must be a low-degree polynomial type GateFr[FR emulated.FieldParams] interface { - Evaluate(...emulated.Element[FR]) emulated.Element[FR] + Evaluate(*sumcheck.EmuEngine[FR], ...*emulated.Element[FR]) *emulated.Element[FR] Degree() int } @@ -133,6 +133,7 @@ type eqTimesGateEvalSumcheckLazyClaimsFr[FR emulated.FieldParams] struct { claimedEvaluations []emulated.Element[FR] manager *claimsManagerFr[FR] // WARNING: Circular references verifier *GKRVerifier[FR] + engine *sumcheck.EmuEngine[FR] } func (e *eqTimesGateEvalSumcheckLazyClaimsFr[FR]) VerifyFinalEval(r []emulated.Element[FR], combinationCoeff, purportedValue emulated.Element[FR], proof sumcheck.DeferredEvalProof[FR]) error { @@ -180,7 +181,7 @@ func (e *eqTimesGateEvalSumcheckLazyClaimsFr[FR]) VerifyFinalEval(r []emulated.E if proofI != len(inputEvaluationsNoRedundancy) { return fmt.Errorf("%d input wire evaluations given, %d expected", len(inputEvaluationsNoRedundancy), proofI) } - gateEvaluation = e.wire.Gate.Evaluate(inputEvaluations...) + gateEvaluation = *e.wire.Gate.Evaluate(e.engine, polynomial.FromSlice(inputEvaluations)...) } evaluation = field.Mul(evaluation, &gateEvaluation) @@ -205,7 +206,7 @@ func (e *eqTimesGateEvalSumcheckLazyClaimsFr[FR]) Degree(int) int { return 1 + e.wire.Gate.Degree() } -func (e *eqTimesGateEvalSumcheckLazyClaimsFr[FR]) AssertEvaluation(r []*emulated.Element[FR], combinationCoeff, expectedValue *emulated.Element[FR], proof sumcheck.DeferredEvalProof[FR]) error { +func (e *eqTimesGateEvalSumcheckLazyClaimsFr[FR]) AssertEvaluation(r []*emulated.Element[FR], combinationCoeff, expectedValue *emulated.Element[FR], proof sumcheck.EvaluationProof) error { field := emulated.Field[FR]{} val, err := e.verifier.p.EvalMultilinear(r, e.manager.assignment[e.wire]) if err != nil { @@ -258,7 +259,7 @@ type claimsManager struct { assignment WireAssignment } -func newClaimsManager(c Circuit, assignment WireAssignment, o settings) (claims claimsManager) { +func newClaimsManager(c Circuit, assignment WireAssignment) (claims claimsManager) { claims.assignment = assignment claims.claimsMap = make(map[*Wire]*eqTimesGateEvalSumcheckLazyClaims, len(c)) @@ -282,10 +283,6 @@ func (m *claimsManager) add(wire *Wire, evaluationPoint []big.Int, evaluation bi claim.evaluationPoints = append(claim.evaluationPoints, evaluationPoint) } -func (m *claimsManager) getLazyClaim(wire *Wire) *eqTimesGateEvalSumcheckLazyClaims { - return m.claimsMap[wire] -} - func (m *claimsManager) getClaim(wire *Wire) *eqTimesGateEvalSumcheckClaims { lazy := m.claimsMap[wire] res := &eqTimesGateEvalSumcheckClaims{ @@ -323,7 +320,7 @@ type eqTimesGateEvalSumcheckClaims struct { evaluationPoints [][]big.Int // x in the paper claimedEvaluations []big.Int // y in the paper manager *claimsManager - engine *sumcheck.BigIntEngineWrapper + engine *sumcheck.BigIntEngine inputPreprocessors []sumcheck.NativeMultilinear // P_u in the paper, so that we don't need to pass along all the circuit's evaluations eq sumcheck.NativeMultilinear // ∑_i τ_i eq(x_i, -) @@ -345,7 +342,7 @@ func (c *eqTimesGateEvalSumcheckClaims) Combine(combinationCoeff *big.Int) sumch c.eq = make(sumcheck.NativeMultilinear, eqLength) c.eq[0] = big.NewInt(1) - sumcheck.Eq(c.engine.Engine, c.eq, sumcheck.ReferenceBigIntSlice(c.evaluationPoints[0])) + sumcheck.Eq(c.engine, c.eq, sumcheck.ReferenceBigIntSlice(c.evaluationPoints[0])) newEq := make(sumcheck.NativeMultilinear, eqLength) aI := combinationCoeff @@ -433,9 +430,9 @@ func (c *eqTimesGateEvalSumcheckClaims) computeGJ() sumcheck.NativePolynomial { _s := 0 _e := nbInner for d := 0; d < degGJ; d++ { - summand := c.wire.Gate.Evaluate(operands[_s+1 : _e]...) - summand.Mul(&summand, &operands[_s]) - res[d].Add(&res[d], &summand) + summand := c.wire.Gate.Evaluate(c.engine, sumcheck.ReferenceBigIntSlice(operands[_s+1 : _e])...) + summand.Mul(summand, &operands[_s]) + res[d].Add(&res[d], summand) _s, _e = _e, _e+nbInner } } @@ -465,9 +462,9 @@ func (c *eqTimesGateEvalSumcheckClaims) Next(element *big.Int) sumcheck.NativePo if n < minBlockSize { // no parallelization for i := 0; i < len(c.inputPreprocessors); i++ { - sumcheck.Fold(c.engine.Engine, c.inputPreprocessors[i], element) + sumcheck.Fold(c.engine, c.inputPreprocessors[i], element) } - sumcheck.Fold(c.engine.Engine, c.eq, element) + sumcheck.Fold(c.engine, c.eq, element) } return c.computeGJ() @@ -492,7 +489,7 @@ func (c *eqTimesGateEvalSumcheckClaims) ProverFinalEval(r []*big.Int) sumcheck.N puI := c.inputPreprocessors[inI] if _, found := noMoreClaimsAllowed[in]; !found { noMoreClaimsAllowed[in] = struct{}{} - sumcheck.Fold(c.engine.Engine, puI, r[len(r)-1]) + sumcheck.Fold(c.engine, puI, r[len(r)-1]) c.manager.add(in, sumcheck.DereferenceBigIntSlice(r), *puI[0]) evaluations = append(evaluations, *puI[0]) } @@ -505,7 +502,7 @@ func (e *eqTimesGateEvalSumcheckClaims) Degree(int) int { return 1 + e.wire.Gate.Degree() } -func setup(api frontend.API, current *big.Int, target *big.Int, c Circuit, assignment WireAssignment, options ...OptionGkr) (settings, error) { +func setup(current *big.Int, target *big.Int, c Circuit, assignment WireAssignment, options ...OptionGkr) (settings, error) { var o settings var err error for _, option := range options { @@ -530,17 +527,12 @@ func setup(api frontend.API, current *big.Int, target *big.Int, c Circuit, assig return o, fmt.Errorf("new short hash: %w", err) } o.transcript = cryptofiatshamir.NewTranscript(fshash, challengeNames...) - if err != nil { - return o, fmt.Errorf("new transcript: %w", err) - } // bind challenge from previous round if it is a continuation if err = sumcheck.BindChallengeProver(o.transcript, challengeNames[0], o.baseChallenges); err != nil { return o, fmt.Errorf("base: %w", err) } - } else { - o.transcript, o.transcriptPrefix = o.transcript, o.transcriptPrefix } return o, err @@ -581,53 +573,51 @@ func WithSortedCircuit[FR emulated.FieldParams](sorted []*WireFr[FR]) OptionFr[F } } -type config struct { - prefix string -} +// type config struct { +// prefix string +// } -func newConfig(opts ...sumcheck.Option) (*config, error) { - cfg := new(config) - for i := range opts { - if err := opts[i](cfg); err != nil { - return nil, fmt.Errorf("apply option %d: %w", i, err) - } - } - return cfg, nil -} +// func newConfig(opts ...sumcheck.Option) (*config, error) { +// cfg := new(config) +// for i := range opts { +// if err := opts[i](cfg); err != nil { +// return nil, fmt.Errorf("apply option %d: %w", i, err) +// } +// } +// return cfg, nil +// } // Verifier allows to check sumcheck proofs. See [NewVerifier] for initializing the instance. type GKRVerifier[FR emulated.FieldParams] struct { api frontend.API f *emulated.Field[FR] p *polynomial.Polynomial[FR] - *config + *sumcheck.Config } -// // NewVerifier initializes a new sumcheck verifier for the parametric emulated -// // field FR. It returns an error if the given options are invalid or when -// // initializing emulated arithmetic fails. -// func NewGKRVerifier[FR emulated.FieldParams](api frontend.API, opts ...sumcheck.Option) (*GKRVerifier[FR], error) { -// cfg, err := newConfig(opts...) -// if err != nil { -// return nil, fmt.Errorf("new configuration: %w", err) -// } - -// f, err := emulated.NewField[FR](api) -// if err != nil { -// return nil, fmt.Errorf("new field: %w", err) -// } - -// p, err := polynomial.New[FR](api) -// if err != nil { -// return nil, fmt.Errorf("new polynomial: %w", err) -// } -// return &GKRVerifier[FR]{ -// api: api, -// f: f, -// p: p, -// config: cfg, -// }, nil -// } +// NewVerifier initializes a new sumcheck verifier for the parametric emulated +// field FR. It returns an error if the given options are invalid or when +// initializing emulated arithmetic fails. +func NewGKRVerifier[FR emulated.FieldParams](api frontend.API, opts ...sumcheck.Option) (*GKRVerifier[FR], error) { + cfg, err := sumcheck.NewConfig(opts...) + if err != nil { + return nil, fmt.Errorf("new configuration: %w", err) + } + f, err := emulated.NewField[FR](api) + if err != nil { + return nil, fmt.Errorf("new field: %w", err) + } + p, err := polynomial.New[FR](api) + if err != nil { + return nil, fmt.Errorf("new polynomial: %w", err) + } + return &GKRVerifier[FR]{ + api: api, + f: f, + p: p, + Config: cfg, + }, nil +} // bindChallenge binds the values for challengeName using in-circuit Fiat-Shamir transcript. func (v *GKRVerifier[FR]) bindChallenge(fs *fiatshamir.Transcript, challengeName string, values []emulated.Element[FR]) error { @@ -649,7 +639,7 @@ func (v *GKRVerifier[FR]) setup(api frontend.API, c CircuitFr[FR], assignment Wi option(&o) } - cfg, err := newVerificationConfig[FR]() + cfg, err := sumcheck.NewVerificationConfig[FR]() if err != nil { return o, fmt.Errorf("verification opts: %w", err) } @@ -671,7 +661,7 @@ func (v *GKRVerifier[FR]) setup(api frontend.API, c CircuitFr[FR], assignment Wi return o, fmt.Errorf("new transcript: %w", err) } // bind challenge from previous round if it is a continuation - if err = v.bindChallenge(o.transcript, challengeNames[0], cfg.baseChallenges); err != nil { + if err = v.bindChallenge(o.transcript, challengeNames[0], cfg.BaseChallenges); err != nil { return o, fmt.Errorf("base: %w", err) } } else { @@ -806,16 +796,6 @@ func getFirstChallengeNames(logNbInstances int, prefix string) []string { return res } -func getChallenges(transcript *fiatshamir.Transcript, names []string) (challenges []frontend.Variable, err error) { - challenges = make([]frontend.Variable, len(names)) - for i, name := range names { - if challenges[i], err = transcript.ComputeChallenge(name); err != nil { - return - } - } - return -} - func (v *GKRVerifier[FR]) getChallengesFr(transcript *fiatshamir.Transcript, names []string) (challenges []emulated.Element[FR], err error) { challenges = make([]emulated.Element[FR], len(names)) var challenge emulated.Element[FR] @@ -837,17 +817,17 @@ func (v *GKRVerifier[FR]) getChallengesFr(transcript *fiatshamir.Transcript, nam // Prove consistency of the claimed assignment func Prove(api frontend.API, current *big.Int, target *big.Int, c Circuit, assignment WireAssignment, transcriptSettings fiatshamir.Settings, options ...OptionGkr) (NativeProofs, error) { be := sumcheck.NewBigIntEngine(target) - o, err := setup(api, current, target, c, assignment, options...) + o, err := setup(current, target, c, assignment, options...) if err != nil { return nil, err } - claims := newClaimsManager(c, assignment, o) + claims := newClaimsManager(c, assignment) proof := make(NativeProofs, len(c)) - // firstChallenge called rho in the paper - var firstChallenge []*big.Int challengeNames := getFirstChallengeNames(o.nbVars, o.transcriptPrefix) + // firstChallenge called rho in the paper + firstChallenge := make([]*big.Int, len(challengeNames)) for i := 0; i < len(challengeNames); i++ { firstChallenge[i], _, err = sumcheck.DeriveChallengeProver(o.transcript, challengeNames[i:], nil) if err != nil { @@ -880,9 +860,7 @@ func Prove(api frontend.API, current *big.Int, target *big.Int, c Circuit, assig finalEvalProof := proof[i].FinalEvalProof.([]*big.Int) baseChallenge = make([]*big.Int, len(finalEvalProof)) - for j := range finalEvalProof { - baseChallenge[j] = finalEvalProof[j] - } + copy(baseChallenge, finalEvalProof) } // the verifier checks a single claim about input wires itself claims.deleteClaim(wire) @@ -911,7 +889,6 @@ func (v *GKRVerifier[FR]) Verify(api frontend.API, c CircuitFr[FR], assignment W return err } - wirePrefix := o.transcriptPrefix + "w" var baseChallenge []emulated.Element[FR] for i := len(c) - 1; i >= 0; i-- { wire := o.sorted[i] @@ -932,7 +909,8 @@ func (v *GKRVerifier[FR]) Verify(api frontend.API, c CircuitFr[FR], assignment W if wire.noProof() { // input wires with one claim only // make sure the proof is empty - if len(finalEvalProof) != 0 || len(proofW.RoundPolyEvaluations) != 0 { + // make sure finalevalproof is of type deferred for gkr + if (finalEvalProof != nil && len(finalEvalProof.(sumcheck.DeferredEvalProof[emulated.FieldParams])) != 0) || len(proofW.RoundPolyEvaluations) != 0 { return fmt.Errorf("no proof allowed for input wire with a single claim") } @@ -946,10 +924,10 @@ func (v *GKRVerifier[FR]) Verify(api frontend.API, c CircuitFr[FR], assignment W evaluation = *evaluationPtr v.f.AssertIsEqual(&claim.claimedEvaluations[0], &evaluation) } - } else if err = sumcheck_verifier.VerifyForGkr( - claim, proof[i], fiatshamir.WithTranscriptFr(o.transcript, wirePrefix+strconv.Itoa(i)+".", baseChallenge...), + } else if err = sumcheck_verifier.Verify( + claim, proof[i], ); err == nil { - baseChallenge = finalEvalProof + baseChallenge = finalEvalProof.(sumcheck.DeferredEvalProof[FR]) _ = baseChallenge } else { return err @@ -959,16 +937,6 @@ func (v *GKRVerifier[FR]) Verify(api frontend.API, c CircuitFr[FR], assignment W return nil } -type IdentityGate struct{} - -func (IdentityGate) Evaluate(input ...big.Int) big.Int { - return input[0] -} - -func (IdentityGate) Degree() int { - return 1 -} - // outputsList also sets the nbUniqueOutputs fields. It also sets the wire metadata. func outputsList(c Circuit, indexes map[*Wire]int) [][]int { res := make([][]int, len(c)) @@ -976,7 +944,7 @@ func outputsList(c Circuit, indexes map[*Wire]int) [][]int { res[i] = make([]int, 0) c[i].nbUniqueOutputs = 0 if c[i].IsInput() { - c[i].Gate = IdentityGate{} + c[i].Gate = IdentityGate[*sumcheck.BigIntEngine, *big.Int]{} } } ins := make(map[int]struct{}, len(c)) @@ -1035,13 +1003,13 @@ func statusList(c Circuit) []int { return res } -type IdentityGateFr[FR emulated.FieldParams] struct{} +type IdentityGate[AE sumcheck.ArithEngine[E], E element] struct{} -func (IdentityGateFr[FR]) Evaluate(api emuEngine[FR], input ...emulated.Element[FR]) emulated.Element[FR] { +func (IdentityGate[AE, E]) Evaluate(api AE, input ...E) E { return input[0] } -func (IdentityGateFr[FR]) Degree() int { +func (IdentityGate[AE, E]) Degree() int { return 1 } @@ -1052,7 +1020,7 @@ func outputsListFr[FR emulated.FieldParams](c CircuitFr[FR], indexes map[*WireFr res[i] = make([]int, 0) c[i].nbUniqueOutputs = 0 if c[i].IsInput() { - c[i].Gate = IdentityGateFr[FR]{} + c[i].Gate = IdentityGate[*sumcheck.EmuEngine[FR], *emulated.Element[FR]]{} } } ins := make(map[int]struct{}, len(c)) @@ -1196,7 +1164,7 @@ func (p Proofs[FR]) Serialize() []emulated.Element[FR] { for j := range p[i].RoundPolyEvaluations { size += len(p[i].RoundPolyEvaluations[j]) } - size += len(p[i].FinalEvalProof) + size += len(p[i].FinalEvalProof.(sumcheck.DeferredEvalProof[FR])) } res := make([]emulated.Element[FR], 0, size) @@ -1204,7 +1172,7 @@ func (p Proofs[FR]) Serialize() []emulated.Element[FR] { for j := range p[i].RoundPolyEvaluations { res = append(res, p[i].RoundPolyEvaluations[j]...) } - res = append(res, p[i].FinalEvalProof...) + res = append(res, p[i].FinalEvalProof.(sumcheck.DeferredEvalProof[FR])...) } if len(res) != size { panic("bug") // TODO: Remove @@ -1255,37 +1223,39 @@ func DeserializeProof[FR emulated.FieldParams](sorted []*WireFr[FR], serializedP return proof, nil } -type MulGate[FR emulated.FieldParams] struct{} +type element any -func (g MulGate[FR]) Evaluate(api emuEngine[FR], x ...emulated.Element[FR]) emulated.Element[FR] { +type MulGate[AE sumcheck.ArithEngine[E], E element] struct{} + +func (g MulGate[AE, E]) Evaluate(api AE, x ...E) E { if len(x) != 2 { panic("mul has fan-in 2") } - return *api.Mul(&x[0], &x[1]) + return api.Mul(x[0], x[1]) } // TODO: Degree must take nbInputs as an argument and return degree = nbInputs -func (g MulGate[FR]) Degree() int { +func (g MulGate[AE, E]) Degree() int { return 2 } -type AddGate[FR emulated.FieldParams] struct{} +type AddGate[AE sumcheck.ArithEngine[E], E element] struct{} -func (a AddGate[FR]) Evaluate(api emuEngine[FR], v ...emulated.Element[FR]) emulated.Element[FR] { +func (a AddGate[AE, E]) Evaluate(api AE, v ...E) E { switch len(v) { case 0: - return *api.Const(big.NewInt(0)) + return api.Const(big.NewInt(0)) case 1: return v[0] } rest := v[2:] - res := api.Add(&v[0], &v[1]) + res := api.Add(v[0], v[1]) for _, e := range rest { - res = api.Add(res, &e) + res = api.Add(res, e) } - return *res + return res } -func (a AddGate[FR]) Degree() int { +func (a AddGate[AE, E]) Degree() int { return 1 } diff --git a/std/recursion/gkr/gkr_nonnative_test.go b/std/recursion/gkr/gkr_nonnative_test.go index 8acc22b3b7..3f7a51aa4a 100644 --- a/std/recursion/gkr/gkr_nonnative_test.go +++ b/std/recursion/gkr/gkr_nonnative_test.go @@ -26,10 +26,11 @@ import ( type FR = emulated.BN254Fr var Gates = map[string]GateFr[FR]{ - "identity": IdentityGateFr[FR]{}, - "add": AddGate[FR]{}, - "mul": MulGate[FR]{}, + "identity": IdentityGate[*sumcheck.EmuEngine[FR], *emulated.Element[FR]]{}, + "add": AddGate[*sumcheck.EmuEngine[FR], *emulated.Element[FR]]{}, + "mul": MulGate[*sumcheck.EmuEngine[FR], *emulated.Element[FR]]{}, } + func TestGkrVectorsFr(t *testing.T) { testDirPath := "./test_vectors" @@ -86,7 +87,7 @@ func generateTestVerifier(path string, options ...option) func(t *testing.T) { TestCaseName: path, } - p:= profile.Start() + p := profile.Start() frontend.Compile(ecc.BN254.ScalarField(), r1cs.NewBuilder, validCircuit) p.Stop() @@ -202,7 +203,7 @@ type TestCaseInfo struct { Proof PrintableProof `json:"proof"` } -//var testCases = make(map[string]*TestCase[emulated.FieldParams]) +// var testCases = make(map[string]*TestCase[emulated.FieldParams]) var testCases = make(map[string]interface{}) func getTestCase(path string) (*TestCase[FR], error) { @@ -249,7 +250,7 @@ type WireInfo struct { type CircuitInfo []WireInfo -//var circuitCache = make(map[string]CircuitFr[emulated.FieldParams]) +// var circuitCache = make(map[string]CircuitFr[emulated.FieldParams]) var circuitCache = make(map[string]interface{}) func getCircuit(path string) (circuit CircuitFr[FR], err error) { @@ -298,7 +299,7 @@ func init() { Gates["select-input-3"] = _select(2) } -func (g _select) Evaluate(_ sumcheck.emuEngine[FR], in ...emulated.Element[FR]) emulated.Element[FR] { +func (g _select) Evaluate(_ *sumcheck.EmuEngine[FR], in ...*emulated.Element[FR]) *emulated.Element[FR] { return in[g] } @@ -309,7 +310,7 @@ func (g _select) Degree() int { type PrintableProof []PrintableSumcheckProof type PrintableSumcheckProof struct { - FinalEvalProof interface{} `json:"finalEvalProof"` + FinalEvalProof interface{} `json:"finalEvalProof"` RoundPolyEvaluations [][]interface{} `json:"partialSumPolys"` } @@ -320,7 +321,7 @@ func unmarshalProof(printable PrintableProof) (proof Proofs[FR]) { if printable[i].FinalEvalProof != nil { finalEvalSlice := reflect.ValueOf(printable[i].FinalEvalProof) - finalEvalProof := make([]emulated.Element[FR], finalEvalSlice.Len()) + finalEvalProof := make(sumcheck.DeferredEvalProof[FR], finalEvalSlice.Len()) for k := range finalEvalProof { finalEvalProof[k] = ToVariableFr[FR](finalEvalSlice.Index(k).Interface()) } @@ -372,7 +373,6 @@ func TestTopSortTrivial(t *testing.T) { assert.Equal(t, []*WireFr[FR]{&c[1], &c[0]}, sorted) } - func TestTopSortSingleGate(t *testing.T) { c := make(CircuitFr[FR], 3) c[0].Inputs = []*WireFr[FR]{&c[1], &c[2]} diff --git a/std/recursion/sumcheck/arithengine.go b/std/recursion/sumcheck/arithengine.go index 80edf3a0e9..9743804a7a 100644 --- a/std/recursion/sumcheck/arithengine.go +++ b/std/recursion/sumcheck/arithengine.go @@ -15,7 +15,7 @@ type element any // case of prover, it is initialized with a finite field arithmetic engine // defined over [*big.Int] or field arithmetic packages. In case of verifier, is // initialized with non-native arithmetic. -type arithEngine[E element] interface { +type ArithEngine[E element] interface { Add(a, b E) E Mul(a, b E) E Sub(a, b E) E @@ -24,86 +24,74 @@ type arithEngine[E element] interface { Const(i *big.Int) E } -// bigIntEngine performs computation reducing with given modulus. -type bigIntEngine struct { +// BigIntEngine performs computation reducing with given modulus. +type BigIntEngine struct { mod *big.Int // TODO: we should also add pools for more efficient memory management. } -// BigIntEngineWrapper is an exported wrapper for bigIntEngine. -type BigIntEngineWrapper struct { - Engine *bigIntEngine -} - -// NewBigIntEngineWrapper creates a new BigIntEngineWrapper with the given modulus. -func NewBigIntEngineWrapper(mod *big.Int) *BigIntEngineWrapper { - return &BigIntEngineWrapper{ - Engine: NewBigIntEngine(mod), - } -} - -func (be *bigIntEngine) Add(a, b *big.Int) *big.Int { +func (be *BigIntEngine) Add(a, b *big.Int) *big.Int { dst := new(big.Int) dst.Add(a, b) dst.Mod(dst, be.mod) return dst } -func (be *bigIntEngine) Mul(a, b *big.Int) *big.Int { +func (be *BigIntEngine) Mul(a, b *big.Int) *big.Int { dst := new(big.Int) dst.Mul(a, b) dst.Mod(dst, be.mod) return dst } -func (be *bigIntEngine) Sub(a, b *big.Int) *big.Int { +func (be *BigIntEngine) Sub(a, b *big.Int) *big.Int { dst := new(big.Int) dst.Sub(a, b) dst.Mod(dst, be.mod) return dst } -func (be *bigIntEngine) One() *big.Int { +func (be *BigIntEngine) One() *big.Int { return big.NewInt(1) } -func (be *bigIntEngine) Const(i *big.Int) *big.Int { +func (be *BigIntEngine) Const(i *big.Int) *big.Int { return new(big.Int).Set(i) } -func NewBigIntEngine(mod *big.Int) *bigIntEngine { - return &bigIntEngine{mod: new(big.Int).Set(mod)} +func NewBigIntEngine(mod *big.Int) *BigIntEngine { + return &BigIntEngine{mod: new(big.Int).Set(mod)} } -// emuEngine uses non-native arithmetic for operations. -type emuEngine[FR emulated.FieldParams] struct { +// EmuEngine uses non-native arithmetic for operations. +type EmuEngine[FR emulated.FieldParams] struct { f *emulated.Field[FR] } -func (ee *emuEngine[FR]) Add(a, b *emulated.Element[FR]) *emulated.Element[FR] { +func (ee *EmuEngine[FR]) Add(a, b *emulated.Element[FR]) *emulated.Element[FR] { return ee.f.Add(a, b) } -func (ee *emuEngine[FR]) Mul(a, b *emulated.Element[FR]) *emulated.Element[FR] { +func (ee *EmuEngine[FR]) Mul(a, b *emulated.Element[FR]) *emulated.Element[FR] { return ee.f.Mul(a, b) } -func (ee *emuEngine[FR]) Sub(a, b *emulated.Element[FR]) *emulated.Element[FR] { +func (ee *EmuEngine[FR]) Sub(a, b *emulated.Element[FR]) *emulated.Element[FR] { return ee.f.Sub(a, b) } -func (ee *emuEngine[FR]) One() *emulated.Element[FR] { +func (ee *EmuEngine[FR]) One() *emulated.Element[FR] { return ee.f.One() } -func (ee *emuEngine[FR]) Const(i *big.Int) *emulated.Element[FR] { +func (ee *EmuEngine[FR]) Const(i *big.Int) *emulated.Element[FR] { return ee.f.NewElement(i) } -func newEmulatedEngine[FR emulated.FieldParams](api frontend.API) (*emuEngine[FR], error) { +func newEmulatedEngine[FR emulated.FieldParams](api frontend.API) (*EmuEngine[FR], error) { f, err := emulated.NewField[FR](api) if err != nil { return nil, fmt.Errorf("new field: %w", err) } - return &emuEngine[FR]{f: f}, nil + return &EmuEngine[FR]{f: f}, nil } diff --git a/std/recursion/sumcheck/claimable_gate.go b/std/recursion/sumcheck/claimable_gate.go index 5122319641..0d5d572ce7 100644 --- a/std/recursion/sumcheck/claimable_gate.go +++ b/std/recursion/sumcheck/claimable_gate.go @@ -11,7 +11,7 @@ import ( ) // gate defines a multivariate polynomial which can be sumchecked. -type gate[AE arithEngine[E], E element] interface { +type gate[AE ArithEngine[E], E element] interface { // NbInputs is the number of inputs the gate takes. NbInputs() int // Evaluate evaluates the gate at inputs vars. @@ -27,9 +27,9 @@ type gate[AE arithEngine[E], E element] interface { type gateClaim[FR emulated.FieldParams] struct { f *emulated.Field[FR] p *polynomial.Polynomial[FR] - engine *emuEngine[FR] + engine *EmuEngine[FR] - gate gate[*emuEngine[FR], *emulated.Element[FR]] + gate gate[*EmuEngine[FR], *emulated.Element[FR]] evaluationPoints [][]*emulated.Element[FR] claimedEvaluations []*emulated.Element[FR] @@ -48,7 +48,7 @@ type gateClaim[FR emulated.FieldParams] struct { // evaluationPoints is the random coefficients for ensuring the consistency of // the inputs during the final round and claimedEvals is the claimed evaluation // values with the inputs combined at the evaluationPoints. -func newGate[FR emulated.FieldParams](api frontend.API, gate gate[*emuEngine[FR], *emulated.Element[FR]], +func newGate[FR emulated.FieldParams](api frontend.API, gate gate[*EmuEngine[FR], *emulated.Element[FR]], inputs [][]*emulated.Element[FR], evaluationPoints [][]*emulated.Element[FR], claimedEvals []*emulated.Element[FR]) (LazyClaims[FR], error) { nbInputs := gate.NbInputs() @@ -152,9 +152,9 @@ func (g *gateClaim[FR]) AssertEvaluation(r []*emulated.Element[FR], combinationC } type nativeGateClaim struct { - engine *bigIntEngine + engine *BigIntEngine - gate gate[*bigIntEngine, *big.Int] + gate gate[*BigIntEngine, *big.Int] evaluationPoints [][]*big.Int claimedEvaluations []*big.Int @@ -168,8 +168,8 @@ type nativeGateClaim struct { eq NativeMultilinear } -func newNativeGate(target *big.Int, gate gate[*bigIntEngine, *big.Int], inputs [][]*big.Int, evaluationPoints [][]*big.Int) (claim claims, evaluations []*big.Int, err error) { - be := &bigIntEngine{mod: new(big.Int).Set(target)} +func newNativeGate(target *big.Int, gate gate[*BigIntEngine, *big.Int], inputs [][]*big.Int, evaluationPoints [][]*big.Int) (claim claims, evaluations []*big.Int, err error) { + be := &BigIntEngine{mod: new(big.Int).Set(target)} nbInputs := gate.NbInputs() if len(inputs) != nbInputs { return nil, nil, fmt.Errorf("expected %d inputs got %d", nbInputs, len(inputs)) diff --git a/std/recursion/sumcheck/claimable_multilinear.go b/std/recursion/sumcheck/claimable_multilinear.go index 261cc5d126..7bb4b43918 100644 --- a/std/recursion/sumcheck/claimable_multilinear.go +++ b/std/recursion/sumcheck/claimable_multilinear.go @@ -62,7 +62,7 @@ func (fn *multilinearClaim[FR]) AssertEvaluation(r []*emulated.Element[FR], comb } type nativeMultilinearClaim struct { - be *bigIntEngine + be *BigIntEngine ml []*big.Int } diff --git a/std/recursion/sumcheck/polynomial.go b/std/recursion/sumcheck/polynomial.go index d7401d8b95..7ade42e22b 100644 --- a/std/recursion/sumcheck/polynomial.go +++ b/std/recursion/sumcheck/polynomial.go @@ -2,6 +2,7 @@ package sumcheck import ( "math/big" + "math/bits" ) type NativePolynomial []*big.Int @@ -25,7 +26,7 @@ func ReferenceBigIntSlice(vals []big.Int) []*big.Int { return ptrs } -func Fold(api *bigIntEngine, ml NativeMultilinear, r *big.Int) NativeMultilinear { +func Fold(api *BigIntEngine, ml NativeMultilinear, r *big.Int) NativeMultilinear { // NB! it modifies ml in-place and also returns mid := len(ml) / 2 bottom, top := ml[:mid], ml[mid:] @@ -38,7 +39,7 @@ func Fold(api *bigIntEngine, ml NativeMultilinear, r *big.Int) NativeMultilinear return ml[:mid] } -func hypersumX1One(api *bigIntEngine, ml NativeMultilinear) *big.Int { +func hypersumX1One(api *BigIntEngine, ml NativeMultilinear) *big.Int { sum := ml[len(ml)/2] for i := len(ml)/2 + 1; i < len(ml); i++ { sum = api.Add(sum, ml[i]) @@ -46,7 +47,7 @@ func hypersumX1One(api *bigIntEngine, ml NativeMultilinear) *big.Int { return sum } -func Eq(api *bigIntEngine, ml NativeMultilinear, q []*big.Int) NativeMultilinear { +func Eq(api *BigIntEngine, ml NativeMultilinear, q []*big.Int) NativeMultilinear { if (1 << len(q)) != len(ml) { panic("scalar length mismatch") } @@ -62,7 +63,7 @@ func Eq(api *bigIntEngine, ml NativeMultilinear, q []*big.Int) NativeMultilinear return ml } -func Eval(api *bigIntEngine, ml NativeMultilinear, r []*big.Int) *big.Int { +func Eval(api *BigIntEngine, ml NativeMultilinear, r []*big.Int) *big.Int { mlCopy := make(NativeMultilinear, len(ml)) for i := range mlCopy { mlCopy[i] = new(big.Int).Set(ml[i]) @@ -75,7 +76,7 @@ func Eval(api *bigIntEngine, ml NativeMultilinear, r []*big.Int) *big.Int { return mlCopy[0] } -func eqAcc(api *bigIntEngine, e NativeMultilinear, m NativeMultilinear, q []*big.Int) NativeMultilinear { +func eqAcc(api *BigIntEngine, e NativeMultilinear, m NativeMultilinear, q []*big.Int) NativeMultilinear { if len(e) != len(m) { panic("length mismatch") } @@ -98,4 +99,8 @@ func eqAcc(api *bigIntEngine, e NativeMultilinear, m NativeMultilinear, q []*big e[i] = api.Add(e[i], m[i]) } return e -} \ No newline at end of file +} + +func (m NativeMultilinear) NumVars() int { + return bits.TrailingZeros(uint(len(m))) +} diff --git a/std/recursion/sumcheck/proof.go b/std/recursion/sumcheck/proof.go index 1533539eb8..304aef6bac 100644 --- a/std/recursion/sumcheck/proof.go +++ b/std/recursion/sumcheck/proof.go @@ -11,7 +11,7 @@ type Proof[FR emulated.FieldParams] struct { RoundPolyEvaluations []polynomial.Univariate[FR] // FinalEvalProof is the witness for helping the verifier to compute the // final round of the sumcheck protocol. - FinalEvalProof DeferredEvalProof[FR] + FinalEvalProof EvaluationProof } type NativeProof struct { diff --git a/std/recursion/sumcheck/prover.go b/std/recursion/sumcheck/prover.go index 5001c0336c..75ca75bfac 100644 --- a/std/recursion/sumcheck/prover.go +++ b/std/recursion/sumcheck/prover.go @@ -44,9 +44,6 @@ func Prove(current *big.Int, target *big.Int, claims claims, opts ...proverOptio return proof, fmt.Errorf("new short hash: %w", err) } fs := fiatshamir.NewTranscript(fshash, challengeNames...) - if err != nil { - return proof, fmt.Errorf("new transcript: %w", err) - } // bind challenge from previous round if it is a continuation if err = BindChallengeProver(fs, challengeNames[0], cfg.baseChallenges); err != nil { return proof, fmt.Errorf("base: %w", err) diff --git a/std/recursion/sumcheck/scalarmul_gates_test.go b/std/recursion/sumcheck/scalarmul_gates_test.go index 689545f3c1..3740537317 100644 --- a/std/recursion/sumcheck/scalarmul_gates_test.go +++ b/std/recursion/sumcheck/scalarmul_gates_test.go @@ -14,7 +14,7 @@ import ( "github.com/consensys/gnark/test" ) -type projAddGate[AE arithEngine[E], E element] struct { +type projAddGate[AE ArithEngine[E], E element] struct { folding E } @@ -102,7 +102,7 @@ func (c *ProjAddSumcheckCircuit[FR]) Define(api frontend.API) error { for i := range c.EvaluationPoints { evalPoints[i] = polynomial.FromSlice[FR](c.EvaluationPoints[i]) } - claim, err := newGate[FR](api, projAddGate[*emuEngine[FR], *emulated.Element[FR]]{f.NewElement(123)}, inputs, evalPoints, claimedEvals) + claim, err := newGate[FR](api, projAddGate[*EmuEngine[FR], *emulated.Element[FR]]{f.NewElement(123)}, inputs, evalPoints, claimedEvals) if err != nil { return fmt.Errorf("new gate claim: %w", err) } @@ -114,7 +114,7 @@ func (c *ProjAddSumcheckCircuit[FR]) Define(api frontend.API) error { func testProjAddSumCheckInstance[FR emulated.FieldParams](t *testing.T, current *big.Int, inputs [][]int) { var fr FR - nativeGate := projAddGate[*bigIntEngine, *big.Int]{folding: big.NewInt(123)} + nativeGate := projAddGate[*BigIntEngine, *big.Int]{folding: big.NewInt(123)} assert := test.NewAssert(t) inputB := make([][]*big.Int, len(inputs)) for i := range inputB { @@ -168,11 +168,11 @@ func TestProjAddSumCheckSumcheck(t *testing.T) { testProjAddSumCheckInstance[emparams.BN254Fr](t, ecc.BN254.ScalarField(), inputs) } -type dblAddSelectGate[AE arithEngine[E], E element] struct { +type dblAddSelectGate[AE ArithEngine[E], E element] struct { folding []E } -func projAdd[AE arithEngine[E], E element](api AE, X1, Y1, Z1, X2, Y2, Z2 E) (X3, Y3, Z3 E) { +func projAdd[AE ArithEngine[E], E element](api AE, X1, Y1, Z1, X2, Y2, Z2 E) (X3, Y3, Z3 E) { b3 := api.Const(big.NewInt(21)) t0 := api.Mul(X1, X2) t1 := api.Mul(Y1, Y2) @@ -210,7 +210,7 @@ func projAdd[AE arithEngine[E], E element](api AE, X1, Y1, Z1, X2, Y2, Z2 E) (X3 return } -func projSelect[AE arithEngine[E], E element](api AE, selector, X1, Y1, Z1, X2, Y2, Z2 E) (X3, Y3, Z3 E) { +func projSelect[AE ArithEngine[E], E element](api AE, selector, X1, Y1, Z1, X2, Y2, Z2 E) (X3, Y3, Z3 E) { X3 = api.Sub(X1, X2) X3 = api.Mul(selector, X3) X3 = api.Add(X3, X2) @@ -225,7 +225,7 @@ func projSelect[AE arithEngine[E], E element](api AE, selector, X1, Y1, Z1, X2, return } -func projDbl[AE arithEngine[E], E element](api AE, X, Y, Z E) (X3, Y3, Z3 E) { +func projDbl[AE ArithEngine[E], E element](api AE, X, Y, Z E) (X3, Y3, Z3 E) { b3 := api.Const(big.NewInt(21)) t0 := api.Mul(Y, Y) Z3 = api.Add(t0, t0) @@ -285,7 +285,7 @@ func (m dblAddSelectGate[AE, E]) Evaluate(api AE, vars ...E) E { func TestDblAndAddGate(t *testing.T) { assert := test.NewAssert(t) - nativeGate := dblAddSelectGate[*bigIntEngine, *big.Int]{folding: []*big.Int{ + nativeGate := dblAddSelectGate[*BigIntEngine, *big.Int]{folding: []*big.Int{ big.NewInt(1), big.NewInt(2), big.NewInt(3), @@ -339,7 +339,7 @@ func (c *ProjDblAddSelectSumcheckCircuit[FR]) Define(api frontend.API) error { for i := range c.EvaluationPoints { evalPoints[i] = polynomial.FromSlice[FR](c.EvaluationPoints[i]) } - claim, err := newGate[FR](api, dblAddSelectGate[*emuEngine[FR], + claim, err := newGate[FR](api, dblAddSelectGate[*EmuEngine[FR], *emulated.Element[FR]]{ folding: []*emulated.Element[FR]{ f.NewElement(1), @@ -361,7 +361,7 @@ func (c *ProjDblAddSelectSumcheckCircuit[FR]) Define(api frontend.API) error { func testProjDblAddSelectSumCheckInstance[FR emulated.FieldParams](t *testing.T, current *big.Int, inputs [][]int) { var fr FR - nativeGate := dblAddSelectGate[*bigIntEngine, *big.Int]{folding: []*big.Int{ + nativeGate := dblAddSelectGate[*BigIntEngine, *big.Int]{folding: []*big.Int{ big.NewInt(1), big.NewInt(2), big.NewInt(3), diff --git a/std/recursion/sumcheck/sumcheck_test.go b/std/recursion/sumcheck/sumcheck_test.go index e8bfd7ce90..4db5c8aa55 100644 --- a/std/recursion/sumcheck/sumcheck_test.go +++ b/std/recursion/sumcheck/sumcheck_test.go @@ -92,7 +92,7 @@ func getChallengeEvaluationPoints[FR emulated.FieldParams](inputs [][]*big.Int) return } -type mulGate1[AE arithEngine[E], E element] struct{} +type mulGate1[AE ArithEngine[E], E element] struct{} func (m mulGate1[AE, E]) NbInputs() int { return 2 } func (m mulGate1[AE, E]) Degree() int { return 2 } @@ -133,7 +133,7 @@ func (c *MulGateSumcheck[FR]) Define(api frontend.API) error { for i := range c.EvaluationPoints { evalPoints[i] = polynomial.FromSlice[FR](c.EvaluationPoints[i]) } - claim, err := newGate[FR](api, mulGate1[*emuEngine[FR], *emulated.Element[FR]]{}, inputs, evalPoints, claimedEvals) + claim, err := newGate[FR](api, mulGate1[*EmuEngine[FR], *emulated.Element[FR]]{}, inputs, evalPoints, claimedEvals) if err != nil { return fmt.Errorf("new gate claim: %w", err) } @@ -145,7 +145,7 @@ func (c *MulGateSumcheck[FR]) Define(api frontend.API) error { func testMulGate1SumcheckInstance[FR emulated.FieldParams](t *testing.T, current *big.Int, inputs [][]int) { var fr FR - var nativeGate mulGate1[*bigIntEngine, *big.Int] + var nativeGate mulGate1[*BigIntEngine, *big.Int] assert := test.NewAssert(t) inputB := make([][]*big.Int, len(inputs)) for i := range inputB { diff --git a/std/recursion/sumcheck/verifier.go b/std/recursion/sumcheck/verifier.go index 3ab2399622..10d64f7daf 100644 --- a/std/recursion/sumcheck/verifier.go +++ b/std/recursion/sumcheck/verifier.go @@ -2,66 +2,32 @@ package sumcheck import ( "fmt" - "strconv" "github.com/consensys/gnark/frontend" - fiatshamir "github.com/consensys/gnark/std/fiat-shamir" "github.com/consensys/gnark/std/math/emulated" "github.com/consensys/gnark/std/math/polynomial" "github.com/consensys/gnark/std/recursion" ) -type config struct { +type Config struct { prefix string } // Option allows to alter the sumcheck verifier behaviour. -type Option func(c *config) error - -func (v *Verifier[FR]) setupTranscript(claimsNum int, varsNum int, settings *fiatshamir.SettingsFr[FR]) ([]string, error) { - var fr FR - numChallenges := varsNum - if claimsNum >= 2 { - numChallenges++ - } - challengeNames := make([]string, numChallenges) - if claimsNum >= 2 { - challengeNames[0] = settings.Prefix + "comb" - } - prefix := settings.Prefix + "pSP." - for i := 0; i < varsNum; i++ { - challengeNames[i+numChallenges-varsNum] = prefix + strconv.Itoa(i) - } - // todo check if settings.Transcript is nil - if settings.Transcript == nil { - var err error - settings.Transcript, err = recursion.NewTranscript(v.api, fr.Modulus(), challengeNames) // not passing settings.hash check - if err != nil { - return nil, err - } - } - - return challengeNames, v.bindChallenge(settings.Transcript, challengeNames[0], settings.BaseChallenges) -} - -func (v *Verifier[FR]) next(transcript *fiatshamir.Transcript, bindings []emulated.Element[FR], remainingChallengeNames *[]string) (emulated.Element[FR], error) { - challenge, newRemainingChallengeNames, err := v.deriveChallenge(transcript, *remainingChallengeNames, bindings) - *remainingChallengeNames = newRemainingChallengeNames - return *challenge, err -} +type Option func(c *Config) error // WithClaimPrefix prepends the given string to the challenge names when // computing the challenges inside the sumcheck verifier. The option is used in // a higher level protocols to ensure that sumcheck claims are not interchanged. func WithClaimPrefix(prefix string) Option { - return func(c *config) error { + return func(c *Config) error { c.prefix = prefix return nil } } -func newConfig(opts ...Option) (*config, error) { - cfg := new(config) +func NewConfig(opts ...Option) (*Config, error) { + cfg := new(Config) for i := range opts { if err := opts[i](cfg); err != nil { return nil, fmt.Errorf("apply option %d: %w", i, err) @@ -71,7 +37,7 @@ func newConfig(opts ...Option) (*config, error) { } type verifyCfg[FR emulated.FieldParams] struct { - baseChallenges []emulated.Element[FR] + BaseChallenges []emulated.Element[FR] } // VerifyOption allows to alter the behaviour of the single sumcheck proof verification. @@ -82,13 +48,13 @@ type VerifyOption[FR emulated.FieldParams] func(c *verifyCfg[FR]) error func WithBaseChallenges[FR emulated.FieldParams](baseChallenges []*emulated.Element[FR]) VerifyOption[FR] { return func(c *verifyCfg[FR]) error { for i := range baseChallenges { - c.baseChallenges = append(c.baseChallenges, *baseChallenges[i]) + c.BaseChallenges = append(c.BaseChallenges, *baseChallenges[i]) } return nil } } -func newVerificationConfig[FR emulated.FieldParams](opts ...VerifyOption[FR]) (*verifyCfg[FR], error) { +func NewVerificationConfig[FR emulated.FieldParams](opts ...VerifyOption[FR]) (*verifyCfg[FR], error) { cfg := new(verifyCfg[FR]) for i := range opts { if err := opts[i](cfg); err != nil { @@ -103,14 +69,14 @@ type Verifier[FR emulated.FieldParams] struct { api frontend.API f *emulated.Field[FR] p *polynomial.Polynomial[FR] - *config + *Config } // NewVerifier initializes a new sumcheck verifier for the parametric emulated // field FR. It returns an error if the given options are invalid or when // initializing emulated arithmetic fails. func NewVerifier[FR emulated.FieldParams](api frontend.API, opts ...Option) (*Verifier[FR], error) { - cfg, err := newConfig(opts...) + cfg, err := NewConfig(opts...) if err != nil { return nil, fmt.Errorf("new configuration: %w", err) } @@ -126,14 +92,14 @@ func NewVerifier[FR emulated.FieldParams](api frontend.API, opts ...Option) (*Ve api: api, f: f, p: p, - config: cfg, + Config: cfg, }, nil } // Verify verifies the sumcheck proof for the given (lazy) claims. func (v *Verifier[FR]) Verify(claims LazyClaims[FR], proof Proof[FR], opts ...VerifyOption[FR]) error { var fr FR - cfg, err := newVerificationConfig(opts...) + cfg, err := NewVerificationConfig(opts...) if err != nil { return fmt.Errorf("verification opts: %w", err) } @@ -143,7 +109,7 @@ func (v *Verifier[FR]) Verify(claims LazyClaims[FR], proof Proof[FR], opts ...Ve return fmt.Errorf("new transcript: %w", err) } // bind challenge from previous round if it is a continuation - if err = v.bindChallenge(fs, challengeNames[0], cfg.baseChallenges); err != nil { + if err = v.bindChallenge(fs, challengeNames[0], cfg.BaseChallenges); err != nil { return fmt.Errorf("base: %w", err) } @@ -212,56 +178,4 @@ func (v *Verifier[FR]) Verify(claims LazyClaims[FR], proof Proof[FR], opts ...Ve } return nil -} - -// VerifyForGkr verifies the sumcheck proof for the given (lazy) claims. -func (v *Verifier[FR]) VerifyForGkr(claims LazyClaims[FR], proof Proof[FR], transcriptSettings fiatshamir.SettingsFr[FR]) error { - - remainingChallengeNames, err := v.setupTranscript(claims.NbClaims(), claims.NbVars(), &transcriptSettings) - transcript := transcriptSettings.Transcript - if err != nil { - return err - } - - var combinationCoef emulated.Element[FR] - - if claims.NbClaims() >= 2 { - if combinationCoef, err = v.next(transcript, []emulated.Element[FR]{}, &remainingChallengeNames); err != nil { - return err - } - } - - r := make([]emulated.Element[FR], claims.NbVars()) - - // Just so that there is enough room for gJ to be reused - maxDegree := claims.Degree(0) - for j := 1; j < claims.NbVars(); j++ { - if d := claims.Degree(j); d > maxDegree { - maxDegree = d - } - } - - gJ := make([]emulated.Element[FR], maxDegree+1) //At the end of iteration j, gJ = ∑_{i < 2ⁿ⁻ʲ⁻¹} g(X₁, ..., Xⱼ₊₁, i...) NOTE: n is shorthand for claims.VarsNum() - // gJR is the claimed value. In case of multiple claims it is combined - // claimed value we're going to check against. - gJR := claims.CombinedSum(&combinationCoef) - - for j := 0; j < claims.NbVars(); j++ { - partialSumPoly := proof.RoundPolyEvaluations[j] //proof.PartialSumPolys(j) - if len(partialSumPoly) != claims.Degree(j) { - return fmt.Errorf("malformed proof") //Malformed proof - } - copy(gJ[1:], partialSumPoly) - gJ[0] = *v.f.Sub(gJR, &partialSumPoly[0]) // Requirement that gⱼ(0) + gⱼ(1) = gⱼ₋₁(r) - // gJ is ready - - //Prepare for the next iteration - if r[j], err = v.next(transcript, proof.RoundPolyEvaluations[j], &remainingChallengeNames); err != nil { - return err - } - - gJR = v.p.InterpolateLDE(&r[j], polynomial.FromSlice(gJ[:(claims.Degree(j)+1)])) - } - - return claims.AssertEvaluation(polynomial.FromSlice(r), &combinationCoef, gJR, proof.FinalEvalProof) -} +} \ No newline at end of file From 5224face24a342316bcf0e381c2f7bfd6120ed09 Mon Sep 17 00:00:00 2001 From: ak36 Date: Mon, 17 Jun 2024 23:47:54 -0400 Subject: [PATCH 13/26] removed Fr naming with Emulated --- std/fiat-shamir/settings.go | 10 +-- std/recursion/gkr/gkr_nonnative.go | 104 ++++++++++++------------ std/recursion/gkr/gkr_nonnative_test.go | 88 ++++++++++---------- 3 files changed, 101 insertions(+), 101 deletions(-) diff --git a/std/fiat-shamir/settings.go b/std/fiat-shamir/settings.go index 3b712b02b4..4d56522d81 100644 --- a/std/fiat-shamir/settings.go +++ b/std/fiat-shamir/settings.go @@ -13,7 +13,7 @@ type Settings struct { Hash hash.FieldHasher } -type SettingsFr[FR emulated.FieldParams] struct { +type SettingsEmulated[FR emulated.FieldParams] struct { Transcript *Transcript Prefix string BaseChallenges []emulated.Element[FR] @@ -28,8 +28,8 @@ func WithTranscript(transcript *Transcript, prefix string, baseChallenges ...fro } } -func WithTranscriptFr[FR emulated.FieldParams](transcript *Transcript, prefix string, baseChallenges ...emulated.Element[FR]) SettingsFr[FR] { - return SettingsFr[FR]{ +func WithTranscriptFr[FR emulated.FieldParams](transcript *Transcript, prefix string, baseChallenges ...emulated.Element[FR]) SettingsEmulated[FR] { + return SettingsEmulated[FR]{ Transcript: transcript, Prefix: prefix, BaseChallenges: baseChallenges, @@ -43,8 +43,8 @@ func WithHash(hash hash.FieldHasher, baseChallenges ...frontend.Variable) Settin } } -func WithHashFr[FR emulated.FieldParams](hash hash.FieldHasher, baseChallenges ...emulated.Element[FR]) SettingsFr[FR] { - return SettingsFr[FR]{ +func WithHashFr[FR emulated.FieldParams](hash hash.FieldHasher, baseChallenges ...emulated.Element[FR]) SettingsEmulated[FR] { + return SettingsEmulated[FR]{ BaseChallenges: baseChallenges, Hash: hash, } diff --git a/std/recursion/gkr/gkr_nonnative.go b/std/recursion/gkr/gkr_nonnative.go index 9f1223eed1..3c8a202d6b 100644 --- a/std/recursion/gkr/gkr_nonnative.go +++ b/std/recursion/gkr/gkr_nonnative.go @@ -40,14 +40,14 @@ type Wire struct { } // Gate must be a low-degree polynomial -type GateFr[FR emulated.FieldParams] interface { +type GateEmulated[FR emulated.FieldParams] interface { Evaluate(*sumcheck.EmuEngine[FR], ...*emulated.Element[FR]) *emulated.Element[FR] Degree() int } -type WireFr[FR emulated.FieldParams] struct { - Gate GateFr[FR] - Inputs []*WireFr[FR] // if there are no Inputs, the wire is assumed an input wire +type WireEmulated[FR emulated.FieldParams] struct { + Gate GateEmulated[FR] + Inputs []*WireEmulated[FR] // if there are no Inputs, the wire is assumed an input wire nbUniqueOutputs int // number of other wires using it as input, not counting duplicates (i.e. providing two inputs to the same gate counts as one) } @@ -90,32 +90,32 @@ func (c Circuit) maxGateDegree() int { return res } -type CircuitFr[FR emulated.FieldParams] []WireFr[FR] +type CircuitEmulated[FR emulated.FieldParams] []WireEmulated[FR] -func (w WireFr[FR]) IsInput() bool { +func (w WireEmulated[FR]) IsInput() bool { return len(w.Inputs) == 0 } -func (w WireFr[FR]) IsOutput() bool { +func (w WireEmulated[FR]) IsOutput() bool { return w.nbUniqueOutputs == 0 } -func (w WireFr[FR]) NbClaims() int { +func (w WireEmulated[FR]) NbClaims() int { if w.IsOutput() { return 1 } return w.nbUniqueOutputs } -func (w WireFr[FR]) nbUniqueInputs() int { - set := make(map[*WireFr[FR]]struct{}, len(w.Inputs)) +func (w WireEmulated[FR]) nbUniqueInputs() int { + set := make(map[*WireEmulated[FR]]struct{}, len(w.Inputs)) for _, in := range w.Inputs { set[in] = struct{}{} } return len(set) } -func (w WireFr[FR]) noProof() bool { +func (w WireEmulated[FR]) noProof() bool { return w.IsInput() && w.NbClaims() == 1 } @@ -123,15 +123,15 @@ func (w WireFr[FR]) noProof() bool { type WireAssignment map[*Wire]sumcheck.NativeMultilinear // WireAssignment is assignment of values to the same wire across many instances of the circuit -type WireAssignmentFr[FR emulated.FieldParams] map[*WireFr[FR]]polynomial.Multilinear[FR] +type WireAssignmentEmulated[FR emulated.FieldParams] map[*WireEmulated[FR]]polynomial.Multilinear[FR] type Proofs[FR emulated.FieldParams] []sumcheck.Proof[FR] // for each layer, for each wire, a sumcheck (for each variable, a polynomial) type eqTimesGateEvalSumcheckLazyClaimsFr[FR emulated.FieldParams] struct { - wire *WireFr[FR] + wire *WireEmulated[FR] evaluationPoints [][]emulated.Element[FR] claimedEvaluations []emulated.Element[FR] - manager *claimsManagerFr[FR] // WARNING: Circular references + manager *claimsManagerEmulated[FR] // WARNING: Circular references verifier *GKRVerifier[FR] engine *sumcheck.EmuEngine[FR] } @@ -163,7 +163,7 @@ func (e *eqTimesGateEvalSumcheckLazyClaimsFr[FR]) VerifyFinalEval(r []emulated.E gateEvaluation = *gateEvaluationPtr } else { inputEvaluations := make([]emulated.Element[FR], len(e.wire.Inputs)) - indexesInProof := make(map[*WireFr[FR]]int, len(inputEvaluationsNoRedundancy)) + indexesInProof := make(map[*WireEmulated[FR]]int, len(inputEvaluationsNoRedundancy)) proofI := 0 for inI, in := range e.wire.Inputs { @@ -216,14 +216,14 @@ func (e *eqTimesGateEvalSumcheckLazyClaimsFr[FR]) AssertEvaluation(r []*emulated return nil } -type claimsManagerFr[FR emulated.FieldParams] struct { - claimsMap map[*WireFr[FR]]*eqTimesGateEvalSumcheckLazyClaimsFr[FR] - assignment WireAssignmentFr[FR] +type claimsManagerEmulated[FR emulated.FieldParams] struct { + claimsMap map[*WireEmulated[FR]]*eqTimesGateEvalSumcheckLazyClaimsFr[FR] + assignment WireAssignmentEmulated[FR] } -func newClaimsManagerFr[FR emulated.FieldParams](c CircuitFr[FR], assignment WireAssignmentFr[FR], verifier GKRVerifier[FR]) (claims claimsManagerFr[FR]) { +func newClaimsManagerEmulated[FR emulated.FieldParams](c CircuitEmulated[FR], assignment WireAssignmentEmulated[FR], verifier GKRVerifier[FR]) (claims claimsManagerEmulated[FR]) { claims.assignment = assignment - claims.claimsMap = make(map[*WireFr[FR]]*eqTimesGateEvalSumcheckLazyClaimsFr[FR], len(c)) + claims.claimsMap = make(map[*WireEmulated[FR]]*eqTimesGateEvalSumcheckLazyClaimsFr[FR], len(c)) for i := range c { wire := &c[i] @@ -239,18 +239,18 @@ func newClaimsManagerFr[FR emulated.FieldParams](c CircuitFr[FR], assignment Wir return } -func (m *claimsManagerFr[FR]) add(wire *WireFr[FR], evaluationPoint []emulated.Element[FR], evaluation emulated.Element[FR]) { +func (m *claimsManagerEmulated[FR]) add(wire *WireEmulated[FR], evaluationPoint []emulated.Element[FR], evaluation emulated.Element[FR]) { claim := m.claimsMap[wire] i := len(claim.evaluationPoints) claim.claimedEvaluations[i] = evaluation claim.evaluationPoints = append(claim.evaluationPoints, evaluationPoint) } -func (m *claimsManagerFr[FR]) getLazyClaim(wire *WireFr[FR]) *eqTimesGateEvalSumcheckLazyClaimsFr[FR] { +func (m *claimsManagerEmulated[FR]) getLazyClaim(wire *WireEmulated[FR]) *eqTimesGateEvalSumcheckLazyClaimsFr[FR] { return m.claimsMap[wire] } -func (m *claimsManagerFr[FR]) deleteClaim(wire *WireFr[FR]) { +func (m *claimsManagerEmulated[FR]) deleteClaim(wire *WireEmulated[FR]) { delete(m.claimsMap, wire) } @@ -558,17 +558,17 @@ type NativeProofs []sumcheck.NativeProof type OptionGkr func(*settings) -type settingsFr[FR emulated.FieldParams] struct { - sorted []*WireFr[FR] +type SettingsEmulated[FR emulated.FieldParams] struct { + sorted []*WireEmulated[FR] transcript *fiatshamir.Transcript transcriptPrefix string nbVars int } -type OptionFr[FR emulated.FieldParams] func(*settingsFr[FR]) +type OptionFr[FR emulated.FieldParams] func(*SettingsEmulated[FR]) -func WithSortedCircuit[FR emulated.FieldParams](sorted []*WireFr[FR]) OptionFr[FR] { - return func(options *settingsFr[FR]) { +func WithSortedCircuit[FR emulated.FieldParams](sorted []*WireEmulated[FR]) OptionFr[FR] { + return func(options *SettingsEmulated[FR]) { options.sorted = sorted } } @@ -631,9 +631,9 @@ func (v *GKRVerifier[FR]) bindChallenge(fs *fiatshamir.Transcript, challengeName return nil } -func (v *GKRVerifier[FR]) setup(api frontend.API, c CircuitFr[FR], assignment WireAssignmentFr[FR], transcriptSettings fiatshamir.SettingsFr[FR], options ...OptionFr[FR]) (settingsFr[FR], error) { +func (v *GKRVerifier[FR]) setup(api frontend.API, c CircuitEmulated[FR], assignment WireAssignmentEmulated[FR], transcriptSettings fiatshamir.SettingsEmulated[FR], options ...OptionFr[FR]) (SettingsEmulated[FR], error) { var fr FR - var o settingsFr[FR] + var o SettingsEmulated[FR] var err error for _, option := range options { option(&o) @@ -651,7 +651,7 @@ func (v *GKRVerifier[FR]) setup(api frontend.API, c CircuitFr[FR], assignment Wi } if o.sorted == nil { - o.sorted = topologicalSortFr(c) + o.sorted = topologicalSortEmulated(c) } if transcriptSettings.Transcript == nil { @@ -672,7 +672,7 @@ func (v *GKRVerifier[FR]) setup(api frontend.API, c CircuitFr[FR], assignment Wi } // ProofSize computes how large the proof for a circuit would be. It needs nbUniqueOutputs to be set -func ProofSize[FR emulated.FieldParams](c CircuitFr[FR], logNbInstances int) int { +func ProofSize[FR emulated.FieldParams](c CircuitEmulated[FR], logNbInstances int) int { nbUniqueInputs := 0 nbPartialEvalPolys := 0 for i := range c { @@ -739,7 +739,7 @@ func ChallengeNames(sorted []*Wire, logNbInstances int, prefix string) []string return challenges } -func ChallengeNamesFr[FR emulated.FieldParams](sorted []*WireFr[FR], logNbInstances int, prefix string) []string { +func ChallengeNamesFr[FR emulated.FieldParams](sorted []*WireEmulated[FR], logNbInstances int, prefix string) []string { // Pre-compute the size TODO: Consider not doing this and just grow the list by appending size := logNbInstances // first challenge @@ -872,7 +872,7 @@ func Prove(api frontend.API, current *big.Int, target *big.Int, c Circuit, assig // Verify the consistency of the claimed output with the claimed input // Unlike in Prove, the assignment argument need not be complete, // Use valueOfProof[FR](proof) to convert nativeproof by prover into nonnativeproof used by in-circuit verifier -func (v *GKRVerifier[FR]) Verify(api frontend.API, c CircuitFr[FR], assignment WireAssignmentFr[FR], proof Proofs[FR], transcriptSettings fiatshamir.SettingsFr[FR], options ...OptionFr[FR]) error { +func (v *GKRVerifier[FR]) Verify(api frontend.API, c CircuitEmulated[FR], assignment WireAssignmentEmulated[FR], proof Proofs[FR], transcriptSettings fiatshamir.SettingsEmulated[FR], options ...OptionFr[FR]) error { o, err := v.setup(api, c, assignment, transcriptSettings, options...) if err != nil { return err @@ -882,7 +882,7 @@ func (v *GKRVerifier[FR]) Verify(api frontend.API, c CircuitFr[FR], assignment W return err } - claims := newClaimsManagerFr(c, assignment, *v) + claims := newClaimsManagerEmulated[FR](c, assignment, *v) var firstChallenge []emulated.Element[FR] firstChallenge, err = v.getChallengesFr(o.transcript, getFirstChallengeNames(o.nbVars, o.transcriptPrefix)) if err != nil { @@ -1014,7 +1014,7 @@ func (IdentityGate[AE, E]) Degree() int { } // outputsList also sets the nbUniqueOutputs fields. It also sets the wire metadata. -func outputsListFr[FR emulated.FieldParams](c CircuitFr[FR], indexes map[*WireFr[FR]]int) [][]int { +func outputsListEmulated[FR emulated.FieldParams](c CircuitEmulated[FR], indexes map[*WireEmulated[FR]]int) [][]int { res := make([][]int, len(c)) for i := range c { res[i] = make([]int, 0) @@ -1040,14 +1040,14 @@ func outputsListFr[FR emulated.FieldParams](c CircuitFr[FR], indexes map[*WireFr return res } -type topSortDataFr[FR emulated.FieldParams] struct { +type topSortDataEmulated[FR emulated.FieldParams] struct { outputs [][]int status []int // status > 0 indicates number of inputs left to be ready. status = 0 means ready. status = -1 means done - index map[*WireFr[FR]]int + index map[*WireEmulated[FR]]int leastReady int } -func (d *topSortDataFr[FR]) markDone(i int) { +func (d *topSortDataEmulated[FR]) markDone(i int) { d.status[i] = -1 @@ -1063,15 +1063,15 @@ func (d *topSortDataFr[FR]) markDone(i int) { } } -func indexMapFr[FR emulated.FieldParams](c CircuitFr[FR]) map[*WireFr[FR]]int { - res := make(map[*WireFr[FR]]int, len(c)) +func indexMapEmulated[FR emulated.FieldParams](c CircuitEmulated[FR]) map[*WireEmulated[FR]]int { + res := make(map[*WireEmulated[FR]]int, len(c)) for i := range c { res[&c[i]] = i } return res } -func statusListFr[FR emulated.FieldParams](c CircuitFr[FR]) []int { +func statusListEmulated[FR emulated.FieldParams](c CircuitEmulated[FR]) []int { res := make([]int, len(c)) for i := range c { res[i] = len(c[i].Inputs) @@ -1122,12 +1122,12 @@ func (a WireAssignment) NumVars() int { panic("empty assignment") } -func topologicalSortFr[FR emulated.FieldParams](c CircuitFr[FR]) []*WireFr[FR] { - var data topSortDataFr[FR] - data.index = indexMapFr(c) - data.outputs = outputsListFr(c, data.index) - data.status = statusListFr(c) - sorted := make([]*WireFr[FR], len(c)) +func topologicalSortEmulated[FR emulated.FieldParams](c CircuitEmulated[FR]) []*WireEmulated[FR] { + var data topSortDataEmulated[FR] + data.index = indexMapEmulated(c) + data.outputs = outputsListEmulated(c, data.index) + data.status = statusListEmulated(c) + sorted := make([]*WireEmulated[FR], len(c)) for data.leastReady = 0; data.status[data.leastReady] != 0; data.leastReady++ { } @@ -1140,7 +1140,7 @@ func topologicalSortFr[FR emulated.FieldParams](c CircuitFr[FR]) []*WireFr[FR] { return sorted } -func (a WireAssignmentFr[FR]) NumInstances() int { +func (a WireAssignmentEmulated[FR]) NumInstances() int { for _, aW := range a { if aW != nil { return len(aW) @@ -1149,7 +1149,7 @@ func (a WireAssignmentFr[FR]) NumInstances() int { panic("empty assignment") } -func (a WireAssignmentFr[FR]) NumVars() int { +func (a WireAssignmentEmulated[FR]) NumVars() int { for _, aW := range a { if aW != nil { return aW.NumVars() @@ -1180,7 +1180,7 @@ func (p Proofs[FR]) Serialize() []emulated.Element[FR] { return res } -func computeLogNbInstances[FR emulated.FieldParams](wires []*WireFr[FR], serializedProofLen int) int { +func computeLogNbInstances[FR emulated.FieldParams](wires []*WireEmulated[FR], serializedProofLen int) int { partialEvalElemsPerVar := 0 for _, w := range wires { if !w.noProof() { @@ -1203,7 +1203,7 @@ func (r *variablesReader[FR]) hasNextN(n int) bool { return len(*r) >= n } -func DeserializeProof[FR emulated.FieldParams](sorted []*WireFr[FR], serializedProof []emulated.Element[FR]) (Proofs[FR], error) { +func DeserializeProof[FR emulated.FieldParams](sorted []*WireEmulated[FR], serializedProof []emulated.Element[FR]) (Proofs[FR], error) { proof := make(Proofs[FR], len(sorted)) logNbInstances := computeLogNbInstances(sorted, len(serializedProof)) diff --git a/std/recursion/gkr/gkr_nonnative_test.go b/std/recursion/gkr/gkr_nonnative_test.go index 3f7a51aa4a..e8d7c257dd 100644 --- a/std/recursion/gkr/gkr_nonnative_test.go +++ b/std/recursion/gkr/gkr_nonnative_test.go @@ -25,7 +25,7 @@ import ( type FR = emulated.BN254Fr -var Gates = map[string]GateFr[FR]{ +var Gates = map[string]GateEmulated[FR]{ "identity": IdentityGate[*sumcheck.EmuEngine[FR], *emulated.Element[FR]]{}, "add": AddGate[*sumcheck.EmuEngine[FR], *emulated.Element[FR]]{}, "mul": MulGate[*sumcheck.EmuEngine[FR], *emulated.Element[FR]]{}, @@ -141,7 +141,7 @@ func (c *GkrVerifierCircuitFr) Define(api frontend.API) error { if testCase, err = getTestCase(c.TestCaseName); err != nil { return err } - sorted := topologicalSortFr(testCase.Circuit) + sorted := topologicalSortEmulated(testCase.Circuit) if proof, err = DeserializeProof(sorted, c.SerializedProof); err != nil { return err @@ -165,9 +165,9 @@ func (c *GkrVerifierCircuitFr) Define(api frontend.API) error { return v.Verify(api, testCase.Circuit, assignment, proof, fiatshamir.WithHashFr[FR](h)) } -func makeInOutAssignment[FR emulated.FieldParams](c CircuitFr[FR], inputValues [][]emulated.Element[FR], outputValues [][]emulated.Element[FR]) WireAssignmentFr[FR] { - sorted := topologicalSortFr(c) - res := make(WireAssignmentFr[FR], len(inputValues)+len(outputValues)) +func makeInOutAssignment[FR emulated.FieldParams](c CircuitEmulated[FR], inputValues [][]emulated.Element[FR], outputValues [][]emulated.Element[FR]) WireAssignmentEmulated[FR] { + sorted := topologicalSortEmulated(c) + res := make(WireAssignmentEmulated[FR], len(inputValues)+len(outputValues)) inI, outI := 0, 0 for _, w := range sorted { if w.IsInput() { @@ -188,7 +188,7 @@ func fillWithBlanks[FR emulated.FieldParams](slice [][]emulated.Element[FR], siz } type TestCase[FR emulated.FieldParams] struct { - Circuit CircuitFr[FR] + Circuit CircuitEmulated[FR] Hash HashDescription Proof Proofs[FR] Input [][]emulated.Element[FR] @@ -253,13 +253,13 @@ type CircuitInfo []WireInfo // var circuitCache = make(map[string]CircuitFr[emulated.FieldParams]) var circuitCache = make(map[string]interface{}) -func getCircuit(path string) (circuit CircuitFr[FR], err error) { +func getCircuit(path string) (circuit CircuitEmulated[FR], err error) { path, err = filepath.Abs(path) if err != nil { return } var ok bool - if circuit, ok = circuitCache[path].(CircuitFr[FR]); ok { + if circuit, ok = circuitCache[path].(CircuitEmulated[FR]); ok { return } var bytes []byte @@ -275,10 +275,10 @@ func getCircuit(path string) (circuit CircuitFr[FR], err error) { return } -func toCircuitFr(c CircuitInfo) (circuit CircuitFr[FR], err error) { - circuit = make(CircuitFr[FR], len(c)) +func toCircuitFr(c CircuitInfo) (circuit CircuitEmulated[FR], err error) { + circuit = make(CircuitEmulated[FR], len(c)) for i, wireInfo := range c { - circuit[i].Inputs = make([]*WireFr[FR], len(wireInfo.Inputs)) + circuit[i].Inputs = make([]*WireEmulated[FR], len(wireInfo.Inputs)) for iAsInput, iAsWire := range wireInfo.Inputs { input := &circuit[iAsWire] circuit[i].Inputs[iAsInput] = input @@ -344,7 +344,7 @@ func TestLogNbInstances(t *testing.T) { return func(t *testing.T) { testCase, err := getTestCase(path) assert.NoError(t, err) - wires := topologicalSortFr(testCase.Circuit) + wires := topologicalSortEmulated(testCase.Circuit) serializedProof := testCase.Proof.Serialize() logNbInstances := computeLogNbInstances(wires, len(serializedProof)) assert.Equal(t, 1, logNbInstances) @@ -361,23 +361,23 @@ func TestLogNbInstances(t *testing.T) { func TestLoadCircuit(t *testing.T) { c, err := getCircuit("test_vectors/resources/two_identity_gates_composed_single_input.json") assert.NoError(t, err) - assert.Equal(t, []*WireFr[FR]{}, c[0].Inputs) - assert.Equal(t, []*WireFr[FR]{&c[0]}, c[1].Inputs) - assert.Equal(t, []*WireFr[FR]{&c[1]}, c[2].Inputs) + assert.Equal(t, []*WireEmulated[FR]{}, c[0].Inputs) + assert.Equal(t, []*WireEmulated[FR]{&c[0]}, c[1].Inputs) + assert.Equal(t, []*WireEmulated[FR]{&c[1]}, c[2].Inputs) } func TestTopSortTrivial(t *testing.T) { - c := make(CircuitFr[FR], 2) - c[0].Inputs = []*WireFr[FR]{&c[1]} - sorted := topologicalSortFr(c) - assert.Equal(t, []*WireFr[FR]{&c[1], &c[0]}, sorted) + c := make(CircuitEmulated[FR], 2) + c[0].Inputs = []*WireEmulated[FR]{&c[1]} + sorted := topologicalSortEmulated(c) + assert.Equal(t, []*WireEmulated[FR]{&c[1], &c[0]}, sorted) } func TestTopSortSingleGate(t *testing.T) { - c := make(CircuitFr[FR], 3) - c[0].Inputs = []*WireFr[FR]{&c[1], &c[2]} - sorted := topologicalSortFr[FR](c) - expected := []*WireFr[FR]{&c[1], &c[2], &c[0]} + c := make(CircuitEmulated[FR], 3) + c[0].Inputs = []*WireEmulated[FR]{&c[1], &c[2]} + sorted := topologicalSortEmulated(c) + expected := []*WireEmulated[FR]{&c[1], &c[2], &c[0]} assert.True(t, SliceEqual(sorted, expected)) //TODO: Remove AssertSliceEqual(t, sorted, expected) assert.Equal(t, c[0].nbUniqueOutputs, 0) @@ -386,30 +386,30 @@ func TestTopSortSingleGate(t *testing.T) { } func TestTopSortDeep(t *testing.T) { - c := make(CircuitFr[FR], 4) - c[0].Inputs = []*WireFr[FR]{&c[2]} - c[1].Inputs = []*WireFr[FR]{&c[3]} - c[2].Inputs = []*WireFr[FR]{} - c[3].Inputs = []*WireFr[FR]{&c[0]} - sorted := topologicalSortFr[FR](c) - assert.Equal(t, []*WireFr[FR]{&c[2], &c[0], &c[3], &c[1]}, sorted) + c := make(CircuitEmulated[FR], 4) + c[0].Inputs = []*WireEmulated[FR]{&c[2]} + c[1].Inputs = []*WireEmulated[FR]{&c[3]} + c[2].Inputs = []*WireEmulated[FR]{} + c[3].Inputs = []*WireEmulated[FR]{&c[0]} + sorted := topologicalSortEmulated(c) + assert.Equal(t, []*WireEmulated[FR]{&c[2], &c[0], &c[3], &c[1]}, sorted) } func TestTopSortWide(t *testing.T) { - c := make(CircuitFr[FR], 10) - c[0].Inputs = []*WireFr[FR]{&c[3], &c[8]} - c[1].Inputs = []*WireFr[FR]{&c[6]} - c[2].Inputs = []*WireFr[FR]{&c[4]} - c[3].Inputs = []*WireFr[FR]{} - c[4].Inputs = []*WireFr[FR]{} - c[5].Inputs = []*WireFr[FR]{&c[9]} - c[6].Inputs = []*WireFr[FR]{&c[9]} - c[7].Inputs = []*WireFr[FR]{&c[9], &c[5], &c[2]} - c[8].Inputs = []*WireFr[FR]{&c[4], &c[3]} - c[9].Inputs = []*WireFr[FR]{} - - sorted := topologicalSortFr[FR](c) - sortedExpected := []*WireFr[FR]{&c[3], &c[4], &c[2], &c[8], &c[0], &c[9], &c[5], &c[6], &c[1], &c[7]} + c := make(CircuitEmulated[FR], 10) + c[0].Inputs = []*WireEmulated[FR]{&c[3], &c[8]} + c[1].Inputs = []*WireEmulated[FR]{&c[6]} + c[2].Inputs = []*WireEmulated[FR]{&c[4]} + c[3].Inputs = []*WireEmulated[FR]{} + c[4].Inputs = []*WireEmulated[FR]{} + c[5].Inputs = []*WireEmulated[FR]{&c[9]} + c[6].Inputs = []*WireEmulated[FR]{&c[9]} + c[7].Inputs = []*WireEmulated[FR]{&c[9], &c[5], &c[2]} + c[8].Inputs = []*WireEmulated[FR]{&c[4], &c[3]} + c[9].Inputs = []*WireEmulated[FR]{} + + sorted := topologicalSortEmulated(c) + sortedExpected := []*WireEmulated[FR]{&c[3], &c[4], &c[2], &c[8], &c[0], &c[9], &c[5], &c[6], &c[1], &c[7]} assert.Equal(t, sortedExpected, sorted) } From 4720856156e4c39a640d662733e08c5de91c153e Mon Sep 17 00:00:00 2001 From: ak36 Date: Mon, 17 Jun 2024 23:49:52 -0400 Subject: [PATCH 14/26] removed all Fr with Emulated --- std/recursion/gkr/gkr_nonnative.go | 34 +++++++++++++++--------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/std/recursion/gkr/gkr_nonnative.go b/std/recursion/gkr/gkr_nonnative.go index 3c8a202d6b..7d1a41d3d9 100644 --- a/std/recursion/gkr/gkr_nonnative.go +++ b/std/recursion/gkr/gkr_nonnative.go @@ -127,7 +127,7 @@ type WireAssignmentEmulated[FR emulated.FieldParams] map[*WireEmulated[FR]]polyn type Proofs[FR emulated.FieldParams] []sumcheck.Proof[FR] // for each layer, for each wire, a sumcheck (for each variable, a polynomial) -type eqTimesGateEvalSumcheckLazyClaimsFr[FR emulated.FieldParams] struct { +type eqTimesGateEvalSumcheckLazyClaimsEmulated[FR emulated.FieldParams] struct { wire *WireEmulated[FR] evaluationPoints [][]emulated.Element[FR] claimedEvaluations []emulated.Element[FR] @@ -136,7 +136,7 @@ type eqTimesGateEvalSumcheckLazyClaimsFr[FR emulated.FieldParams] struct { engine *sumcheck.EmuEngine[FR] } -func (e *eqTimesGateEvalSumcheckLazyClaimsFr[FR]) VerifyFinalEval(r []emulated.Element[FR], combinationCoeff, purportedValue emulated.Element[FR], proof sumcheck.DeferredEvalProof[FR]) error { +func (e *eqTimesGateEvalSumcheckLazyClaimsEmulated[FR]) VerifyFinalEval(r []emulated.Element[FR], combinationCoeff, purportedValue emulated.Element[FR], proof sumcheck.DeferredEvalProof[FR]) error { inputEvaluationsNoRedundancy := proof field := emulated.Field[FR]{} p, err := polynomial.New[FR](e.verifier.api) @@ -189,24 +189,24 @@ func (e *eqTimesGateEvalSumcheckLazyClaimsFr[FR]) VerifyFinalEval(r []emulated.E return nil } -func (e *eqTimesGateEvalSumcheckLazyClaimsFr[FR]) NbClaims() int { +func (e *eqTimesGateEvalSumcheckLazyClaimsEmulated[FR]) NbClaims() int { return len(e.evaluationPoints) } -func (e *eqTimesGateEvalSumcheckLazyClaimsFr[FR]) NbVars() int { +func (e *eqTimesGateEvalSumcheckLazyClaimsEmulated[FR]) NbVars() int { return len(e.evaluationPoints[0]) } -func (e *eqTimesGateEvalSumcheckLazyClaimsFr[FR]) CombinedSum(a *emulated.Element[FR]) *emulated.Element[FR] { +func (e *eqTimesGateEvalSumcheckLazyClaimsEmulated[FR]) CombinedSum(a *emulated.Element[FR]) *emulated.Element[FR] { evalsAsPoly := polynomial.Univariate[FR](e.claimedEvaluations) return e.verifier.p.EvalUnivariate(evalsAsPoly, a) } -func (e *eqTimesGateEvalSumcheckLazyClaimsFr[FR]) Degree(int) int { +func (e *eqTimesGateEvalSumcheckLazyClaimsEmulated[FR]) Degree(int) int { return 1 + e.wire.Gate.Degree() } -func (e *eqTimesGateEvalSumcheckLazyClaimsFr[FR]) AssertEvaluation(r []*emulated.Element[FR], combinationCoeff, expectedValue *emulated.Element[FR], proof sumcheck.EvaluationProof) error { +func (e *eqTimesGateEvalSumcheckLazyClaimsEmulated[FR]) AssertEvaluation(r []*emulated.Element[FR], combinationCoeff, expectedValue *emulated.Element[FR], proof sumcheck.EvaluationProof) error { field := emulated.Field[FR]{} val, err := e.verifier.p.EvalMultilinear(r, e.manager.assignment[e.wire]) if err != nil { @@ -217,18 +217,18 @@ func (e *eqTimesGateEvalSumcheckLazyClaimsFr[FR]) AssertEvaluation(r []*emulated } type claimsManagerEmulated[FR emulated.FieldParams] struct { - claimsMap map[*WireEmulated[FR]]*eqTimesGateEvalSumcheckLazyClaimsFr[FR] + claimsMap map[*WireEmulated[FR]]*eqTimesGateEvalSumcheckLazyClaimsEmulated[FR] assignment WireAssignmentEmulated[FR] } func newClaimsManagerEmulated[FR emulated.FieldParams](c CircuitEmulated[FR], assignment WireAssignmentEmulated[FR], verifier GKRVerifier[FR]) (claims claimsManagerEmulated[FR]) { claims.assignment = assignment - claims.claimsMap = make(map[*WireEmulated[FR]]*eqTimesGateEvalSumcheckLazyClaimsFr[FR], len(c)) + claims.claimsMap = make(map[*WireEmulated[FR]]*eqTimesGateEvalSumcheckLazyClaimsEmulated[FR], len(c)) for i := range c { wire := &c[i] - claims.claimsMap[wire] = &eqTimesGateEvalSumcheckLazyClaimsFr[FR]{ + claims.claimsMap[wire] = &eqTimesGateEvalSumcheckLazyClaimsEmulated[FR]{ wire: wire, evaluationPoints: make([][]emulated.Element[FR], 0, wire.NbClaims()), claimedEvaluations: make(polynomial.Multilinear[FR], wire.NbClaims()), @@ -246,7 +246,7 @@ func (m *claimsManagerEmulated[FR]) add(wire *WireEmulated[FR], evaluationPoint claim.evaluationPoints = append(claim.evaluationPoints, evaluationPoint) } -func (m *claimsManagerEmulated[FR]) getLazyClaim(wire *WireEmulated[FR]) *eqTimesGateEvalSumcheckLazyClaimsFr[FR] { +func (m *claimsManagerEmulated[FR]) getLazyClaim(wire *WireEmulated[FR]) *eqTimesGateEvalSumcheckLazyClaimsEmulated[FR] { return m.claimsMap[wire] } @@ -565,9 +565,9 @@ type SettingsEmulated[FR emulated.FieldParams] struct { nbVars int } -type OptionFr[FR emulated.FieldParams] func(*SettingsEmulated[FR]) +type OptionEmulated[FR emulated.FieldParams] func(*SettingsEmulated[FR]) -func WithSortedCircuit[FR emulated.FieldParams](sorted []*WireEmulated[FR]) OptionFr[FR] { +func WithSortedCircuitEmulated[FR emulated.FieldParams](sorted []*WireEmulated[FR]) OptionEmulated[FR] { return func(options *SettingsEmulated[FR]) { options.sorted = sorted } @@ -631,7 +631,7 @@ func (v *GKRVerifier[FR]) bindChallenge(fs *fiatshamir.Transcript, challengeName return nil } -func (v *GKRVerifier[FR]) setup(api frontend.API, c CircuitEmulated[FR], assignment WireAssignmentEmulated[FR], transcriptSettings fiatshamir.SettingsEmulated[FR], options ...OptionFr[FR]) (SettingsEmulated[FR], error) { +func (v *GKRVerifier[FR]) setup(api frontend.API, c CircuitEmulated[FR], assignment WireAssignmentEmulated[FR], transcriptSettings fiatshamir.SettingsEmulated[FR], options ...OptionEmulated[FR]) (SettingsEmulated[FR], error) { var fr FR var o SettingsEmulated[FR] var err error @@ -655,7 +655,7 @@ func (v *GKRVerifier[FR]) setup(api frontend.API, c CircuitEmulated[FR], assignm } if transcriptSettings.Transcript == nil { - challengeNames := ChallengeNamesFr(o.sorted, o.nbVars, transcriptSettings.Prefix) + challengeNames := ChallengeNamesEmulated(o.sorted, o.nbVars, transcriptSettings.Prefix) o.transcript, err = recursion.NewTranscript(api, fr.Modulus(), challengeNames) if err != nil { return o, fmt.Errorf("new transcript: %w", err) @@ -739,7 +739,7 @@ func ChallengeNames(sorted []*Wire, logNbInstances int, prefix string) []string return challenges } -func ChallengeNamesFr[FR emulated.FieldParams](sorted []*WireEmulated[FR], logNbInstances int, prefix string) []string { +func ChallengeNamesEmulated[FR emulated.FieldParams](sorted []*WireEmulated[FR], logNbInstances int, prefix string) []string { // Pre-compute the size TODO: Consider not doing this and just grow the list by appending size := logNbInstances // first challenge @@ -872,7 +872,7 @@ func Prove(api frontend.API, current *big.Int, target *big.Int, c Circuit, assig // Verify the consistency of the claimed output with the claimed input // Unlike in Prove, the assignment argument need not be complete, // Use valueOfProof[FR](proof) to convert nativeproof by prover into nonnativeproof used by in-circuit verifier -func (v *GKRVerifier[FR]) Verify(api frontend.API, c CircuitEmulated[FR], assignment WireAssignmentEmulated[FR], proof Proofs[FR], transcriptSettings fiatshamir.SettingsEmulated[FR], options ...OptionFr[FR]) error { +func (v *GKRVerifier[FR]) Verify(api frontend.API, c CircuitEmulated[FR], assignment WireAssignmentEmulated[FR], proof Proofs[FR], transcriptSettings fiatshamir.SettingsEmulated[FR], options ...OptionEmulated[FR]) error { o, err := v.setup(api, c, assignment, transcriptSettings, options...) if err != nil { return err From 218c27a4268225126d65f2860f3fa1ac175b8a4c Mon Sep 17 00:00:00 2001 From: ak36 Date: Tue, 18 Jun 2024 21:06:43 -0400 Subject: [PATCH 15/26] testing single add gate --- frontend/variable.go | 524 +-------------------- internal/parallel/execute.go | 56 +++ std/fiat-shamir/settings.go | 11 +- std/polynomial/polynomial.go | 17 - std/recursion/gkr/gkr_nonnative.go | 35 +- std/recursion/gkr/gkr_nonnative_test.go | 599 +++++++++++++++++------- std/recursion/gkr/utils/util.go | 175 +++++++ 7 files changed, 698 insertions(+), 719 deletions(-) create mode 100644 internal/parallel/execute.go create mode 100644 std/recursion/gkr/utils/util.go diff --git a/frontend/variable.go b/frontend/variable.go index b0eda66c0c..1567903a33 100644 --- a/frontend/variable.go +++ b/frontend/variable.go @@ -16,14 +16,7 @@ limitations under the License. package frontend -import ( - "encoding/binary" - "errors" - "math/big" - "math/bits" - - "github.com/consensys/gnark-crypto/field/pool" - +import ( "github.com/consensys/gnark/frontend/internal/expr" ) @@ -32,521 +25,6 @@ import ( // The only purpose of putting this definition here is to avoid the import cycles (cs/plonk <-> frontend) and (cs/r1cs <-> frontend) type Variable interface{} -type Element [4]uint64 - -var qInvNeg uint64 - -// Field modulus q -var ( - q0 uint64 - q1 uint64 - q2 uint64 - q3 uint64 -) - -var _modulus big.Int // q stored as big.Int - -// SetZero z = 0 -func (z *Element) SetZero() *Element { - z[0] = 0 - z[1] = 0 - z[2] = 0 - z[3] = 0 - return z -} - -// rSquare where r is the Montgommery constant -// see section 2.3.2 of Tolga Acar's thesis -// https://www.microsoft.com/en-us/research/wp-content/uploads/1998/06/97Acar.pdf -var rSquare = Element{ -} - -const ( - Limbs = 4 // number of 64 bits words needed to represent a Element - Bits = 254 // number of bits needed to represent a Element - Bytes = 32 // number of bytes needed to represent a Element -) - -// fromMont converts z in place (i.e. mutates) from Montgomery to regular representation -// sets and returns z = z * 1 -func (z *Element) fromMont() *Element { - fromMont(z) - return z -} - -func fromMont(z *Element) { - _fromMontGeneric(z) -} - -func _fromMontGeneric(z *Element) { - // the following lines implement z = z * 1 - // with a modified CIOS montgomery multiplication - // see Mul for algorithm documentation - { - // m = z[0]n'[0] mod W - m := z[0] * qInvNeg - C := madd0(m, q0, z[0]) - C, z[0] = madd2(m, q1, z[1], C) - C, z[1] = madd2(m, q2, z[2], C) - C, z[2] = madd2(m, q3, z[3], C) - z[3] = C - } - { - // m = z[0]n'[0] mod W - m := z[0] * qInvNeg - C := madd0(m, q0, z[0]) - C, z[0] = madd2(m, q1, z[1], C) - C, z[1] = madd2(m, q2, z[2], C) - C, z[2] = madd2(m, q3, z[3], C) - z[3] = C - } - { - // m = z[0]n'[0] mod W - m := z[0] * qInvNeg - C := madd0(m, q0, z[0]) - C, z[0] = madd2(m, q1, z[1], C) - C, z[1] = madd2(m, q2, z[2], C) - C, z[2] = madd2(m, q3, z[3], C) - z[3] = C - } - { - // m = z[0]n'[0] mod W - m := z[0] * qInvNeg - C := madd0(m, q0, z[0]) - C, z[0] = madd2(m, q1, z[1], C) - C, z[1] = madd2(m, q2, z[2], C) - C, z[2] = madd2(m, q3, z[3], C) - z[3] = C - } - - // if z ⩾ q → z -= q - if !z.smallerThanModulus() { - var b uint64 - z[0], b = bits.Sub64(z[0], q0, 0) - z[1], b = bits.Sub64(z[1], q1, b) - z[2], b = bits.Sub64(z[2], q2, b) - z[3], _ = bits.Sub64(z[3], q3, b) - } -} - -// smallerThanModulus returns true if z < q -// This is not constant time -func (z *Element) smallerThanModulus() bool { - return (z[3] < q3 || (z[3] == q3 && (z[2] < q2 || (z[2] == q2 && (z[1] < q1 || (z[1] == q1 && (z[0] < q0))))))) -} - -// madd0 hi = a*b + c (discards lo bits) -func madd0(a, b, c uint64) (hi uint64) { - var carry, lo uint64 - hi, lo = bits.Mul64(a, b) - _, carry = bits.Add64(lo, c, 0) - hi, _ = bits.Add64(hi, 0, carry) - return -} - -// madd1 hi, lo = a*b + c -func madd1(a, b, c uint64) (hi uint64, lo uint64) { - var carry uint64 - hi, lo = bits.Mul64(a, b) - lo, carry = bits.Add64(lo, c, 0) - hi, _ = bits.Add64(hi, 0, carry) - return -} - -// madd2 hi, lo = a*b + c + d -func madd2(a, b, c, d uint64) (hi uint64, lo uint64) { - var carry uint64 - hi, lo = bits.Mul64(a, b) - c, carry = bits.Add64(c, d, 0) - hi, _ = bits.Add64(hi, 0, carry) - lo, carry = bits.Add64(lo, c, 0) - hi, _ = bits.Add64(hi, 0, carry) - return -} - -func madd3(a, b, c, d, e uint64) (hi uint64, lo uint64) { - var carry uint64 - hi, lo = bits.Mul64(a, b) - c, carry = bits.Add64(c, d, 0) - hi, _ = bits.Add64(hi, 0, carry) - lo, carry = bits.Add64(lo, c, 0) - hi, _ = bits.Add64(hi, e, carry) - return -} -func max(a int, b int) int { - if a > b { - return a - } - return b -} - -func min(a int, b int) int { - if a < b { - return a - } - return b -} - -// BigEndian is the big-endian implementation of ByteOrder and AppendByteOrder. -var BigEndian bigEndian - -type bigEndian struct{} - -// Element interpret b is a big-endian 32-byte slice. -// If b encodes a value higher than q, Element returns error. -func (bigEndian) Element(b *[Bytes]byte) (Element, error) { - var z Element - z[0] = binary.BigEndian.Uint64((*b)[24:32]) - z[1] = binary.BigEndian.Uint64((*b)[16:24]) - z[2] = binary.BigEndian.Uint64((*b)[8:16]) - z[3] = binary.BigEndian.Uint64((*b)[0:8]) - - if !z.smallerThanModulus() { - return Element{}, errors.New("invalid fr.Element encoding") - } - - z.toMont() - return z, nil -} - -// toMont converts z to Montgomery form -// sets and returns z = z * r² -func (z *Element) toMont() *Element { - return z.Mul(z, &rSquare) -} - -// Mul z = x * y (mod q) -// -// x and y must be less than q -func (z *Element) Mul(x, y *Element) *Element { - - // Implements CIOS multiplication -- section 2.3.2 of Tolga Acar's thesis - // https://www.microsoft.com/en-us/research/wp-content/uploads/1998/06/97Acar.pdf - // - // The algorithm: - // - // for i=0 to N-1 - // C := 0 - // for j=0 to N-1 - // (C,t[j]) := t[j] + x[j]*y[i] + C - // (t[N+1],t[N]) := t[N] + C - // - // C := 0 - // m := t[0]*q'[0] mod D - // (C,_) := t[0] + m*q[0] - // for j=1 to N-1 - // (C,t[j-1]) := t[j] + m*q[j] + C - // - // (C,t[N-1]) := t[N] + C - // t[N] := t[N+1] + C - // - // → N is the number of machine words needed to store the modulus q - // → D is the word size. For example, on a 64-bit architecture D is 2 64 - // → x[i], y[i], q[i] is the ith word of the numbers x,y,q - // → q'[0] is the lowest word of the number -q⁻¹ mod r. This quantity is pre-computed, as it does not depend on the inputs. - // → t is a temporary array of size N+2 - // → C, S are machine words. A pair (C,S) refers to (hi-bits, lo-bits) of a two-word number - // - // As described here https://hackmd.io/@gnark/modular_multiplication we can get rid of one carry chain and simplify: - // (also described in https://eprint.iacr.org/2022/1400.pdf annex) - // - // for i=0 to N-1 - // (A,t[0]) := t[0] + x[0]*y[i] - // m := t[0]*q'[0] mod W - // C,_ := t[0] + m*q[0] - // for j=1 to N-1 - // (A,t[j]) := t[j] + x[j]*y[i] + A - // (C,t[j-1]) := t[j] + m*q[j] + C - // - // t[N-1] = C + A - // - // This optimization saves 5N + 2 additions in the algorithm, and can be used whenever the highest bit - // of the modulus is zero (and not all of the remaining bits are set). - - var t0, t1, t2, t3 uint64 - var u0, u1, u2, u3 uint64 - { - var c0, c1, c2 uint64 - v := x[0] - u0, t0 = bits.Mul64(v, y[0]) - u1, t1 = bits.Mul64(v, y[1]) - u2, t2 = bits.Mul64(v, y[2]) - u3, t3 = bits.Mul64(v, y[3]) - t1, c0 = bits.Add64(u0, t1, 0) - t2, c0 = bits.Add64(u1, t2, c0) - t3, c0 = bits.Add64(u2, t3, c0) - c2, _ = bits.Add64(u3, 0, c0) - - m := qInvNeg * t0 - - u0, c1 = bits.Mul64(m, q0) - _, c0 = bits.Add64(t0, c1, 0) - u1, c1 = bits.Mul64(m, q1) - t0, c0 = bits.Add64(t1, c1, c0) - u2, c1 = bits.Mul64(m, q2) - t1, c0 = bits.Add64(t2, c1, c0) - u3, c1 = bits.Mul64(m, q3) - - t2, c0 = bits.Add64(0, c1, c0) - u3, _ = bits.Add64(u3, 0, c0) - t0, c0 = bits.Add64(u0, t0, 0) - t1, c0 = bits.Add64(u1, t1, c0) - t2, c0 = bits.Add64(u2, t2, c0) - c2, _ = bits.Add64(c2, 0, c0) - t2, c0 = bits.Add64(t3, t2, 0) - t3, _ = bits.Add64(u3, c2, c0) - - } - { - var c0, c1, c2 uint64 - v := x[1] - u0, c1 = bits.Mul64(v, y[0]) - t0, c0 = bits.Add64(c1, t0, 0) - u1, c1 = bits.Mul64(v, y[1]) - t1, c0 = bits.Add64(c1, t1, c0) - u2, c1 = bits.Mul64(v, y[2]) - t2, c0 = bits.Add64(c1, t2, c0) - u3, c1 = bits.Mul64(v, y[3]) - t3, c0 = bits.Add64(c1, t3, c0) - - c2, _ = bits.Add64(0, 0, c0) - t1, c0 = bits.Add64(u0, t1, 0) - t2, c0 = bits.Add64(u1, t2, c0) - t3, c0 = bits.Add64(u2, t3, c0) - c2, _ = bits.Add64(u3, c2, c0) - - m := qInvNeg * t0 - - u0, c1 = bits.Mul64(m, q0) - _, c0 = bits.Add64(t0, c1, 0) - u1, c1 = bits.Mul64(m, q1) - t0, c0 = bits.Add64(t1, c1, c0) - u2, c1 = bits.Mul64(m, q2) - t1, c0 = bits.Add64(t2, c1, c0) - u3, c1 = bits.Mul64(m, q3) - - t2, c0 = bits.Add64(0, c1, c0) - u3, _ = bits.Add64(u3, 0, c0) - t0, c0 = bits.Add64(u0, t0, 0) - t1, c0 = bits.Add64(u1, t1, c0) - t2, c0 = bits.Add64(u2, t2, c0) - c2, _ = bits.Add64(c2, 0, c0) - t2, c0 = bits.Add64(t3, t2, 0) - t3, _ = bits.Add64(u3, c2, c0) - - } - { - var c0, c1, c2 uint64 - v := x[2] - u0, c1 = bits.Mul64(v, y[0]) - t0, c0 = bits.Add64(c1, t0, 0) - u1, c1 = bits.Mul64(v, y[1]) - t1, c0 = bits.Add64(c1, t1, c0) - u2, c1 = bits.Mul64(v, y[2]) - t2, c0 = bits.Add64(c1, t2, c0) - u3, c1 = bits.Mul64(v, y[3]) - t3, c0 = bits.Add64(c1, t3, c0) - - c2, _ = bits.Add64(0, 0, c0) - t1, c0 = bits.Add64(u0, t1, 0) - t2, c0 = bits.Add64(u1, t2, c0) - t3, c0 = bits.Add64(u2, t3, c0) - c2, _ = bits.Add64(u3, c2, c0) - - m := qInvNeg * t0 - - u0, c1 = bits.Mul64(m, q0) - _, c0 = bits.Add64(t0, c1, 0) - u1, c1 = bits.Mul64(m, q1) - t0, c0 = bits.Add64(t1, c1, c0) - u2, c1 = bits.Mul64(m, q2) - t1, c0 = bits.Add64(t2, c1, c0) - u3, c1 = bits.Mul64(m, q3) - - t2, c0 = bits.Add64(0, c1, c0) - u3, _ = bits.Add64(u3, 0, c0) - t0, c0 = bits.Add64(u0, t0, 0) - t1, c0 = bits.Add64(u1, t1, c0) - t2, c0 = bits.Add64(u2, t2, c0) - c2, _ = bits.Add64(c2, 0, c0) - t2, c0 = bits.Add64(t3, t2, 0) - t3, _ = bits.Add64(u3, c2, c0) - - } - { - var c0, c1, c2 uint64 - v := x[3] - u0, c1 = bits.Mul64(v, y[0]) - t0, c0 = bits.Add64(c1, t0, 0) - u1, c1 = bits.Mul64(v, y[1]) - t1, c0 = bits.Add64(c1, t1, c0) - u2, c1 = bits.Mul64(v, y[2]) - t2, c0 = bits.Add64(c1, t2, c0) - u3, c1 = bits.Mul64(v, y[3]) - t3, c0 = bits.Add64(c1, t3, c0) - - c2, _ = bits.Add64(0, 0, c0) - t1, c0 = bits.Add64(u0, t1, 0) - t2, c0 = bits.Add64(u1, t2, c0) - t3, c0 = bits.Add64(u2, t3, c0) - c2, _ = bits.Add64(u3, c2, c0) - - m := qInvNeg * t0 - - u0, c1 = bits.Mul64(m, q0) - _, c0 = bits.Add64(t0, c1, 0) - u1, c1 = bits.Mul64(m, q1) - t0, c0 = bits.Add64(t1, c1, c0) - u2, c1 = bits.Mul64(m, q2) - t1, c0 = bits.Add64(t2, c1, c0) - u3, c1 = bits.Mul64(m, q3) - - t2, c0 = bits.Add64(0, c1, c0) - u3, _ = bits.Add64(u3, 0, c0) - t0, c0 = bits.Add64(u0, t0, 0) - t1, c0 = bits.Add64(u1, t1, c0) - t2, c0 = bits.Add64(u2, t2, c0) - c2, _ = bits.Add64(c2, 0, c0) - t2, c0 = bits.Add64(t3, t2, 0) - t3, _ = bits.Add64(u3, c2, c0) - - } - z[0] = t0 - z[1] = t1 - z[2] = t2 - z[3] = t3 - - // if z ⩾ q → z -= q - if !z.smallerThanModulus() { - var b uint64 - z[0], b = bits.Sub64(z[0], q0, 0) - z[1], b = bits.Sub64(z[1], q1, b) - z[2], b = bits.Sub64(z[2], q2, b) - z[3], _ = bits.Sub64(z[3], q3, b) - } - return z -} - - -func (bigEndian) PutElement(b *[Bytes]byte, e Element) { - e.fromMont() - binary.BigEndian.PutUint64((*b)[24:32], e[0]) - binary.BigEndian.PutUint64((*b)[16:24], e[1]) - binary.BigEndian.PutUint64((*b)[8:16], e[2]) - binary.BigEndian.PutUint64((*b)[0:8], e[3]) -} - -// Bytes returns the value of z as a big-endian byte array -func ToBytes(v Variable) (res [Bytes]byte) { - BigEndian.PutElement(&res, v.(Element)) - return res -} - -// FillBytes sets buf to the absolute value of x, storing it as a zero-extended -// big-endian byte slice, and returns buf. -// -// If the absolute value of x doesn't fit in buf, FillBytes will panic. -func FillBytes(x Variable, buf []byte) []byte { - // Clear whole buffer. (This gets optimized into a memclr.) - for i := range buf { - buf[i] = 0 - } - bytes := ToBytes(x) - copy(buf, bytes[:]) - return buf -} - -// Bytes returns the value of z as a big-endian byte array -func FromBytes(e []byte) Variable { - z := new(Element) - if len(e) == Bytes { - // fast path - v, err := BigEndian.Element((*[Bytes]byte)(e)) - if err == nil { - *z = v - return z - } - } - - // slow path. - // get a big int from our pool - vv := pool.BigInt.Get() - vv.SetBytes(e) - - // set big int - z.SetBigInt(vv) - - // put temporary object back in pool - pool.BigInt.Put(vv) - - return z -} - -// SetBigInt sets z to v and returns z -func (z *Element) SetBigInt(v *big.Int) *Element { - z.SetZero() - - var zero big.Int - - // fast path - c := v.Cmp(&_modulus) - if c == 0 { - // v == 0 - return z - } else if c != 1 && v.Cmp(&zero) != -1 { - // 0 < v < q - return z.setBigInt(v) - } - - // get temporary big int from the pool - vv := pool.BigInt.Get() - - // copy input + modular reduction - vv.Mod(v, &_modulus) - - // set big int byte value - z.setBigInt(vv) - - // release object into pool - pool.BigInt.Put(vv) - return z -} - -// setBigInt assumes 0 ⩽ v < q -func (z *Element) setBigInt(v *big.Int) *Element { - vBits := v.Bits() - - if bits.UintSize == 64 { - for i := 0; i < len(vBits); i++ { - z[i] = uint64(vBits[i]) - } - } else { - for i := 0; i < len(vBits); i++ { - if i%2 == 0 { - z[i/2] = uint64(vBits[i]) - } else { - z[i/2] |= uint64(vBits[i]) << 32 - } - } - } - - return z.toMont() -} - -// Set z = x and returns z -func (z *Element) SetElement(x *Element) *Element { - z[0] = x[0] - z[1] = x[1] - z[2] = x[2] - z[3] = x[3] - return z -} - -func Set(z, x Variable) Variable { - (*z.(*Element)).SetElement(x.(*Element)) - return z -} - // IsCanonical returns true if the Variable has been normalized in a (internal) LinearExpression // by one of the constraint system builder. In other words, if the Variable is a circuit input OR // returned by the API. diff --git a/internal/parallel/execute.go b/internal/parallel/execute.go new file mode 100644 index 0000000000..05f9a8f666 --- /dev/null +++ b/internal/parallel/execute.go @@ -0,0 +1,56 @@ +package parallel + +import ( + "runtime" + "sync" +) + +// Execute process in parallel the work function +func Execute(nbIterations int, work func(int, int), maxCpus ...int) { + + nbTasks := runtime.NumCPU() + if len(maxCpus) == 1 { + nbTasks = maxCpus[0] + if nbTasks < 1 { + nbTasks = 1 + } else if nbTasks > 512 { + nbTasks = 512 + } + } + + if nbTasks == 1 { + // no go routines + work(0, nbIterations) + return + } + + nbIterationsPerCpus := nbIterations / nbTasks + + // more CPUs than tasks: a CPU will work on exactly one iteration + if nbIterationsPerCpus < 1 { + nbIterationsPerCpus = 1 + nbTasks = nbIterations + } + + var wg sync.WaitGroup + + extraTasks := nbIterations - (nbTasks * nbIterationsPerCpus) + extraTasksOffset := 0 + + for i := 0; i < nbTasks; i++ { + wg.Add(1) + _start := i*nbIterationsPerCpus + extraTasksOffset + _end := _start + nbIterationsPerCpus + if extraTasks > 0 { + _end++ + extraTasks-- + extraTasksOffset++ + } + go func() { + work(_start, _end) + wg.Done() + }() + } + + wg.Wait() +} diff --git a/std/fiat-shamir/settings.go b/std/fiat-shamir/settings.go index 4d56522d81..eaf8bae24f 100644 --- a/std/fiat-shamir/settings.go +++ b/std/fiat-shamir/settings.go @@ -1,7 +1,8 @@ package fiatshamir import ( - "github.com/consensys/gnark/frontend" + "math/big" + gohash "hash" "github.com/consensys/gnark/std/hash" "github.com/consensys/gnark/std/math/emulated" ) @@ -9,8 +10,8 @@ import ( type Settings struct { Transcript *Transcript Prefix string - BaseChallenges []frontend.Variable - Hash hash.FieldHasher + BaseChallenges []big.Int + Hash gohash.Hash } type SettingsEmulated[FR emulated.FieldParams] struct { @@ -20,7 +21,7 @@ type SettingsEmulated[FR emulated.FieldParams] struct { Hash hash.FieldHasher } -func WithTranscript(transcript *Transcript, prefix string, baseChallenges ...frontend.Variable) Settings { +func WithTranscript(transcript *Transcript, prefix string, baseChallenges ...big.Int) Settings { return Settings{ Transcript: transcript, Prefix: prefix, @@ -36,7 +37,7 @@ func WithTranscriptFr[FR emulated.FieldParams](transcript *Transcript, prefix st } } -func WithHash(hash hash.FieldHasher, baseChallenges ...frontend.Variable) Settings { +func WithHash(hash gohash.Hash, baseChallenges ...big.Int) Settings { return Settings{ BaseChallenges: baseChallenges, Hash: hash, diff --git a/std/polynomial/polynomial.go b/std/polynomial/polynomial.go index cccbf93563..5bf398c9f3 100644 --- a/std/polynomial/polynomial.go +++ b/std/polynomial/polynomial.go @@ -12,23 +12,6 @@ type MultiLin []frontend.Variable var minFoldScaledLogSize = 16 -func FromSlice(s []frontend.Variable) []*frontend.Variable { - r := make([]*frontend.Variable, len(s)) - for i := range s { - r[i] = &s[i] - } - return r -} - -// FromSliceReferences maps slice of emulated element references to their values. -func FromSliceReferences(in []*frontend.Variable) []frontend.Variable { - r := make([]frontend.Variable, len(in)) - for i := range in { - r[i] = *in[i] - } - return r -} - func _clone(m MultiLin, p *Pool) MultiLin { if p == nil { return m.Clone() diff --git a/std/recursion/gkr/gkr_nonnative.go b/std/recursion/gkr/gkr_nonnative.go index 7d1a41d3d9..e73e88bedc 100644 --- a/std/recursion/gkr/gkr_nonnative.go +++ b/std/recursion/gkr/gkr_nonnative.go @@ -16,6 +16,7 @@ import ( "github.com/consensys/gnark/std/math/polynomial" "github.com/consensys/gnark/std/recursion" "github.com/consensys/gnark/std/recursion/sumcheck" + "github.com/consensys/gnark/internal/parallel" ) // @tabaie TODO: Contains many things copy-pasted from gnark-crypto. Generify somehow? @@ -815,7 +816,7 @@ func (v *GKRVerifier[FR]) getChallengesFr(transcript *fiatshamir.Transcript, nam } // Prove consistency of the claimed assignment -func Prove(api frontend.API, current *big.Int, target *big.Int, c Circuit, assignment WireAssignment, transcriptSettings fiatshamir.Settings, options ...OptionGkr) (NativeProofs, error) { +func Prove(current *big.Int, target *big.Int, c Circuit, assignment WireAssignment, transcriptSettings fiatshamir.Settings, options ...OptionGkr) (NativeProofs, error) { be := sumcheck.NewBigIntEngine(target) o, err := setup(current, target, c, assignment, options...) if err != nil { @@ -1104,6 +1105,38 @@ func topologicalSort(c Circuit) []*Wire { return sorted } +// Complete the circuit evaluation from input values +func (a WireAssignment) Complete(c Circuit, target *big.Int) WireAssignment { + + engine := sumcheck.NewBigIntEngine(target) + sortedWires := topologicalSort(c) + nbInstances := a.NumInstances() + maxNbIns := 0 + + for _, w := range sortedWires { + maxNbIns = utils.Max(maxNbIns, len(w.Inputs)) + if a[w] == nil { + a[w] = make([]*big.Int, nbInstances) + } + } + + parallel.Execute(nbInstances, func(start, end int) { + ins := make([]*big.Int, maxNbIns) + for i := start; i < end; i++ { + for _, w := range sortedWires { + if !w.IsInput() { + for inI, in := range w.Inputs { + ins[inI] = a[in][i] + } + a[w][i] = w.Gate.Evaluate(engine, ins[:len(w.Inputs)]...) + } + } + } + }) + + return a +} + func (a WireAssignment) NumInstances() int { for _, aW := range a { if aW != nil { diff --git a/std/recursion/gkr/gkr_nonnative_test.go b/std/recursion/gkr/gkr_nonnative_test.go index e8d7c257dd..07db6e3e31 100644 --- a/std/recursion/gkr/gkr_nonnative_test.go +++ b/std/recursion/gkr/gkr_nonnative_test.go @@ -6,15 +6,15 @@ import ( "os" "path/filepath" "reflect" + //"strconv" "testing" + "math/big" "github.com/consensys/gnark-crypto/ecc" "github.com/consensys/gnark/backend" "github.com/consensys/gnark/frontend" - "github.com/consensys/gnark/frontend/cs/r1cs" - "github.com/consensys/gnark/profile" fiatshamir "github.com/consensys/gnark/std/fiat-shamir" - "github.com/consensys/gnark/std/hash" + "github.com/consensys/gnark/std/recursion/gkr/utils" "github.com/consensys/gnark/std/math/emulated" mathpoly "github.com/consensys/gnark/std/math/polynomial" "github.com/consensys/gnark/std/recursion" @@ -23,14 +23,374 @@ import ( "github.com/stretchr/testify/assert" ) -type FR = emulated.BN254Fr +type FR = emulated.BN254Fp -var Gates = map[string]GateEmulated[FR]{ +var GatesEmulated = map[string]GateEmulated[FR]{ "identity": IdentityGate[*sumcheck.EmuEngine[FR], *emulated.Element[FR]]{}, "add": AddGate[*sumcheck.EmuEngine[FR], *emulated.Element[FR]]{}, "mul": MulGate[*sumcheck.EmuEngine[FR], *emulated.Element[FR]]{}, } +var Gates = map[string]Gate{ + "identity": IdentityGate[*sumcheck.BigIntEngine, *big.Int]{}, + "add": AddGate[*sumcheck.BigIntEngine, *big.Int]{}, + "mul": MulGate[*sumcheck.BigIntEngine, *big.Int]{}, +} + +// func TestNoGateTwoInstances(t *testing.T) { +// // Testing a single instance is not possible because the sumcheck implementation doesn't cover the trivial 0-variate case +// testNoGate(t, []emulated.Element[FR]{four, three}) +// } + +// func TestNoGate(t *testing.T) { +// testManyInstances(t, 1, testNoGate) +// } + +func TestSingleAddGateTwoInstances(t *testing.T) { + current := ecc.BN254.ScalarField() + var fr FR + testSingleAddGate(t, current, fr.Modulus(), []*big.Int{&four, &three}, []*big.Int{&two, &three}) +} + +// func TestSingleAddGate(t *testing.T) { +// testManyInstances(t, 2, testSingleAddGate) +// } + +// func TestSingleMulGateTwoInstances(t *testing.T) { +// testSingleMulGate(t, []emulated.Element[FR]{four, three}, []emulated.Element[FR]{two, three}) +// } + +// func TestSingleMulGate(t *testing.T) { +// testManyInstances(t, 2, testSingleMulGate) +// } + +// func TestSingleInputTwoIdentityGatesTwoInstances(t *testing.T) { + +// testSingleInputTwoIdentityGates(t, []fr.Element{two, three}) +// } + +// func TestSingleInputTwoIdentityGates(t *testing.T) { + +// testManyInstances(t, 2, testSingleInputTwoIdentityGates) +// } + +// func TestSingleInputTwoIdentityGatesComposedTwoInstances(t *testing.T) { +// testSingleInputTwoIdentityGatesComposed(t, []fr.Element{two, one}) +// } + +// func TestSingleInputTwoIdentityGatesComposed(t *testing.T) { +// testManyInstances(t, 1, testSingleInputTwoIdentityGatesComposed) +// } + +// func TestSingleMimcCipherGateTwoInstances(t *testing.T) { +// testSingleMimcCipherGate(t, []fr.Element{one, one}, []fr.Element{one, two}) +// } + +// func TestSingleMimcCipherGate(t *testing.T) { +// testManyInstances(t, 2, testSingleMimcCipherGate) +// } + +// func TestATimesBSquaredTwoInstances(t *testing.T) { +// testATimesBSquared(t, 2, []fr.Element{one, one}, []fr.Element{one, two}) +// } + +// func TestShallowMimcTwoInstances(t *testing.T) { +// testMimc(t, 2, []fr.Element{one, one}, []fr.Element{one, two}) +// } +// func TestMimcTwoInstances(t *testing.T) { +// testMimc(t, 93, []fr.Element{one, one}, []fr.Element{one, two}) +// } + +// func TestMimc(t *testing.T) { +// testManyInstances(t, 2, generateTestMimc(93)) +// } + +// func generateTestMimc(numRounds int) func(*testing.T, ...[]fr.Element) { +// return func(t *testing.T, inputAssignments ...[]fr.Element) { +// testMimc(t, numRounds, inputAssignments...) +// } +// } + +// func TestSumcheckFromSingleInputTwoIdentityGatesGateTwoInstances(t *testing.T) { +// circuit := Circuit{Wire{ +// Gate: IdentityGate{}, +// Inputs: []*Wire{}, +// nbUniqueOutputs: 2, +// }} + +// wire := &circuit[0] + +// assignment := WireAssignment{&circuit[0]: []fr.Element{two, three}} +// var o settings +// pool := polynomial.NewPool(256, 1<<11) +// workers := utils.NewWorkerPool() +// o.pool = &pool +// o.workers = workers + +// claimsManagerGen := func() *claimsManager { +// manager := newClaimsManager(circuit, assignment, o) +// manager.add(wire, []fr.Element{three}, five) +// manager.add(wire, []fr.Element{four}, six) +// return &manager +// } + +// transcriptGen := utils.NewMessageCounterGenerator(4, 1) + +// proof, err := sumcheck.Prove(claimsManagerGen().getClaim(wire), fiatshamir.WithHash(transcriptGen(), nil)) +// assert.NoError(t, err) +// err = sumcheck.Verify(claimsManagerGen().getLazyClaim(wire), proof, fiatshamir.WithHash(transcriptGen(), nil)) +// assert.NoError(t, err) +// } + +var one, two, three, four, five, six big.Int + +// func init() { +// one.SetOne() +// two.Double(&one) +// three.Add(&two, &one) +// four.Double(&two) +// five.Add(&three, &two) +// six.Double(&three) +// } + +// var testManyInstancesLogMaxInstances = -1 + +// func getLogMaxInstances(t *testing.T) int { +// if testManyInstancesLogMaxInstances == -1 { + +// s := os.Getenv("GKR_LOG_INSTANCES") +// if s == "" { +// testManyInstancesLogMaxInstances = 5 +// } else { +// var err error +// testManyInstancesLogMaxInstances, err = strconv.Atoi(s) +// if err != nil { +// t.Error(err) +// } +// } + +// } +// return testManyInstancesLogMaxInstances +// } + +// func testManyInstances(t *testing.T, numInput int, test func(*testing.T, ...[]emulated.Element[FR])) { +// fullAssignments := make([][]emulated.Element[FR], numInput) +// maxSize := 1 << getLogMaxInstances(t) + +// t.Log("Entered test orchestrator, assigning and randomizing inputs") + +// for i := range fullAssignments { +// fullAssignments[i] = make([]emulated.Element[FR], maxSize) +// setRandom(fullAssignments[i]) +// } + +// inputAssignments := make([][]emulated.Element[FR], numInput) +// for numEvals := maxSize; numEvals <= maxSize; numEvals *= 2 { +// for i, fullAssignment := range fullAssignments { +// inputAssignments[i] = fullAssignment[:numEvals] +// } + +// t.Log("Selected inputs for test") +// test(t, inputAssignments...) +// } +// } + +// func testNoGate(t *testing.T, inputAssignments ...[]*big.Int) { +// c := Circuit{ +// { +// Inputs: []*Wire{}, +// Gate: nil, +// }, +// } + +// assignment := WireAssignment{&c[0]: sumcheck.NativeMultilinear(inputAssignments[0])} +// assignmentEmulated := WireAssignmentEmulated[FR]{&c[0]: sumcheck.NativeMultilinear(inputAssignments[0])} + +// proof, err := Prove(c, assignment, fiatshamir.WithHash(utils.NewMessageCounter(1, 1))) +// assert.NoError(t, err) + +// // Even though a hash is called here, the proof is empty + +// err = Verify(c, assignment, proof, fiatshamir.WithHash(utils.NewMessageCounter(1, 1))) +// assert.NoError(t, err, "proof rejected") +// } + +func testSingleAddGate(t *testing.T, current *big.Int, target *big.Int, inputAssignments ...[]*big.Int) { + c := make(Circuit, 3) + c[2] = Wire{ + Gate: Gates["add"], + Inputs: []*Wire{&c[0], &c[1]}, + } + + assignment := WireAssignment{&c[0]: inputAssignments[0], &c[1]: inputAssignments[1]}.Complete(c, target) + + proof, err := Prove(current, target, c, assignment, fiatshamir.WithHash(utils.NewMessageCounter(1, 1))) + assert.NoError(t, err) + fmt.Println(proof) + + // err = Verify(c, assignment, proof, fiatshamir.WithHash(utils.NewMessageCounter(1, 1))) + // assert.NoError(t, err, "proof rejected") + + // err = Verify(c, assignment, proof, fiatshamir.WithHash(utils.NewMessageCounter(0, 1))) + // assert.NotNil(t, err, "bad proof accepted") +} + +// func testSingleMulGate(t *testing.T, inputAssignments ...[]fr.Element) { + +// c := make(Circuit, 3) +// c[2] = Wire{ +// Gate: Gates["mul"], +// Inputs: []*Wire{&c[0], &c[1]}, +// } + +// assignment := WireAssignment{&c[0]: inputAssignments[0], &c[1]: inputAssignments[1]}.Complete(c) + +// proof, err := Prove(c, assignment, fiatshamir.WithHash(utils.NewMessageCounter(1, 1))) +// assert.NoError(t, err) + +// err = Verify(c, assignment, proof, fiatshamir.WithHash(utils.NewMessageCounter(1, 1))) +// assert.NoError(t, err, "proof rejected") + +// err = Verify(c, assignment, proof, fiatshamir.WithHash(utils.NewMessageCounter(0, 1))) +// assert.NotNil(t, err, "bad proof accepted") +// } + +// func testSingleInputTwoIdentityGates(t *testing.T, inputAssignments ...[]fr.Element) { +// c := make(Circuit, 3) + +// c[1] = Wire{ +// Gate: IdentityGate{}, +// Inputs: []*Wire{&c[0]}, +// } + +// c[2] = Wire{ +// Gate: IdentityGate{}, +// Inputs: []*Wire{&c[0]}, +// } + +// assignment := WireAssignment{&c[0]: inputAssignments[0]}.Complete(c) + +// proof, err := Prove(c, assignment, fiatshamir.WithHash(utils.NewMessageCounter(0, 1))) +// assert.NoError(t, err) + +// err = Verify(c, assignment, proof, fiatshamir.WithHash(utils.NewMessageCounter(0, 1))) +// assert.NoError(t, err, "proof rejected") + +// err = Verify(c, assignment, proof, fiatshamir.WithHash(utils.NewMessageCounter(1, 1))) +// assert.NotNil(t, err, "bad proof accepted") +// } + +// func testSingleMimcCipherGate(t *testing.T, inputAssignments ...[]fr.Element) { +// c := make(Circuit, 3) + +// c[2] = Wire{ +// Gate: mimcCipherGate{}, +// Inputs: []*Wire{&c[0], &c[1]}, +// } + +// t.Log("Evaluating all circuit wires") +// assignment := WireAssignment{&c[0]: inputAssignments[0], &c[1]: inputAssignments[1]}.Complete(c) +// t.Log("Circuit evaluation complete") +// proof, err := Prove(c, assignment, fiatshamir.WithHash(utils.NewMessageCounter(0, 1))) +// assert.NoError(t, err) +// t.Log("Proof complete") +// err = Verify(c, assignment, proof, fiatshamir.WithHash(utils.NewMessageCounter(0, 1))) +// assert.NoError(t, err, "proof rejected") + +// t.Log("Successful verification complete") +// err = Verify(c, assignment, proof, fiatshamir.WithHash(utils.NewMessageCounter(1, 1))) +// assert.NotNil(t, err, "bad proof accepted") +// t.Log("Unsuccessful verification complete") +// } + +// func testSingleInputTwoIdentityGatesComposed(t *testing.T, inputAssignments ...[]fr.Element) { +// c := make(Circuit, 3) + +// c[1] = Wire{ +// Gate: IdentityGate{}, +// Inputs: []*Wire{&c[0]}, +// } +// c[2] = Wire{ +// Gate: IdentityGate{}, +// Inputs: []*Wire{&c[1]}, +// } + +// assignment := WireAssignment{&c[0]: inputAssignments[0]}.Complete(c) + +// proof, err := Prove(c, assignment, fiatshamir.WithHash(utils.NewMessageCounter(0, 1))) +// assert.NoError(t, err) + +// err = Verify(c, assignment, proof, fiatshamir.WithHash(utils.NewMessageCounter(0, 1))) +// assert.NoError(t, err, "proof rejected") + +// err = Verify(c, assignment, proof, fiatshamir.WithHash(utils.NewMessageCounter(1, 1))) +// assert.NotNil(t, err, "bad proof accepted") +// } + +// func mimcCircuit(numRounds int) Circuit { +// c := make(Circuit, numRounds+2) + +// for i := 2; i < len(c); i++ { +// c[i] = Wire{ +// Gate: mimcCipherGate{}, +// Inputs: []*Wire{&c[i-1], &c[0]}, +// } +// } +// return c +// } + +// func testMimc(t *testing.T, numRounds int, inputAssignments ...[]fr.Element) { +// // TODO: Implement mimc correctly. Currently, the computation is mimc(a,b) = cipher( cipher( ... cipher(a, b), b) ..., b) +// // @AlexandreBelling: Please explain the extra layers in https://github.com/ConsenSys/gkr-mimc/blob/81eada039ab4ed403b7726b535adb63026e8011f/examples/mimc.go#L10 + +// c := mimcCircuit(numRounds) + +// t.Log("Evaluating all circuit wires") +// assignment := WireAssignment{&c[0]: inputAssignments[0], &c[1]: inputAssignments[1]}.Complete(c) +// t.Log("Circuit evaluation complete") + +// proof, err := Prove(c, assignment, fiatshamir.WithHash(utils.NewMessageCounter(0, 1))) +// assert.NoError(t, err) + +// t.Log("Proof finished") +// err = Verify(c, assignment, proof, fiatshamir.WithHash(utils.NewMessageCounter(0, 1))) +// assert.NoError(t, err, "proof rejected") + +// t.Log("Successful verification finished") +// err = Verify(c, assignment, proof, fiatshamir.WithHash(utils.NewMessageCounter(1, 1))) +// assert.NotNil(t, err, "bad proof accepted") +// t.Log("Unsuccessful verification finished") +// } + +// func testATimesBSquared(t *testing.T, numRounds int, inputAssignments ...[]fr.Element) { +// // This imitates the MiMC circuit + +// c := make(Circuit, numRounds+2) + +// for i := 2; i < len(c); i++ { +// c[i] = Wire{ +// Gate: Gates["mul"], +// Inputs: []*Wire{&c[i-1], &c[0]}, +// } +// } + +// assignment := WireAssignment{&c[0]: inputAssignments[0], &c[1]: inputAssignments[1]}.Complete(c) + +// proof, err := Prove(c, assignment, fiatshamir.WithHash(utils.NewMessageCounter(0, 1))) +// assert.NoError(t, err) + +// err = Verify(c, assignment, proof, fiatshamir.WithHash(utils.NewMessageCounter(0, 1))) +// assert.NoError(t, err, "proof rejected") + +// err = Verify(c, assignment, proof, fiatshamir.WithHash(utils.NewMessageCounter(1, 1))) +// assert.NotNil(t, err, "bad proof accepted") +// } + +// func setRandom(slice []fr.Element) { +// for i := range slice { +// slice[i].SetRandom() +// } +// } func TestGkrVectorsFr(t *testing.T) { testDirPath := "./test_vectors" @@ -71,7 +431,7 @@ func generateTestVerifier(path string, options ...option) func(t *testing.T) { assert := test.NewAssert(t) assert.NoError(err) - assignment := &GkrVerifierCircuitFr{ + assignment := &GkrVerifierCircuitEmulated{ Input: testCase.Input, Output: testCase.Output, SerializedProof: testCase.Proof.Serialize(), @@ -79,7 +439,7 @@ func generateTestVerifier(path string, options ...option) func(t *testing.T) { TestCaseName: path, } - validCircuit := &GkrVerifierCircuitFr{ + validCircuit := &GkrVerifierCircuitEmulated{ Input: make([][]emulated.Element[FR], len(testCase.Input)), Output: make([][]emulated.Element[FR], len(testCase.Output)), SerializedProof: make([]emulated.Element[FR], len(assignment.SerializedProof)), @@ -87,15 +447,7 @@ func generateTestVerifier(path string, options ...option) func(t *testing.T) { TestCaseName: path, } - p := profile.Start() - frontend.Compile(ecc.BN254.ScalarField(), r1cs.NewBuilder, validCircuit) - p.Stop() - - fmt.Println(p.NbConstraints()) - fmt.Println(p.Top()) - //r1cs.CheckUnconstrainedWires() - - invalidCircuit := &GkrVerifierCircuitFr{ + invalidCircuit := &GkrVerifierCircuitEmulated{ Input: make([][]emulated.Element[FR], len(testCase.Input)), Output: make([][]emulated.Element[FR], len(testCase.Output)), SerializedProof: make([]emulated.Element[FR], len(assignment.SerializedProof)), @@ -109,16 +461,16 @@ func generateTestVerifier(path string, options ...option) func(t *testing.T) { fillWithBlanks(invalidCircuit.Output, len(testCase.Input[0])) if !opts.noSuccess { - assert.CheckCircuit(validCircuit, test.WithBackends(backend.GROTH16), test.WithValidAssignment(assignment)) + assert.CheckCircuit(validCircuit, test.WithCurves(ecc.BN254), test.WithBackends(backend.GROTH16), test.WithValidAssignment(assignment)) } if !opts.noFail { - assert.CheckCircuit(invalidCircuit, test.WithBackends(backend.GROTH16), test.WithInvalidAssignment(assignment)) + assert.CheckCircuit(invalidCircuit, test.WithCurves(ecc.BN254), test.WithBackends(backend.GROTH16), test.WithInvalidAssignment(assignment)) } } } -type GkrVerifierCircuitFr struct { +type GkrVerifierCircuitEmulated struct { Input [][]emulated.Element[FR] Output [][]emulated.Element[FR] `gnark:",public"` SerializedProof []emulated.Element[FR] @@ -126,7 +478,7 @@ type GkrVerifierCircuitFr struct { TestCaseName string } -func (c *GkrVerifierCircuitFr) Define(api frontend.API) error { +func (c *GkrVerifierCircuitEmulated) Define(api frontend.API) error { var fr FR var testCase *TestCase[FR] var proof Proofs[FR] @@ -189,16 +541,16 @@ func fillWithBlanks[FR emulated.FieldParams](slice [][]emulated.Element[FR], siz type TestCase[FR emulated.FieldParams] struct { Circuit CircuitEmulated[FR] - Hash HashDescription + Hash utils.HashDescription Proof Proofs[FR] Input [][]emulated.Element[FR] Output [][]emulated.Element[FR] Name string } type TestCaseInfo struct { - Hash HashDescription `json:"hash"` - Circuit string `json:"circuit"` - Input [][]interface{} `json:"input"` + Hash utils.HashDescription `json:"hash"` + Circuit string `json:"circuit"` + Input [][]interface{} `json:"input"` Output [][]interface{} `json:"output"` Proof PrintableProof `json:"proof"` } @@ -230,8 +582,8 @@ func getTestCase(path string) (*TestCase[FR], error) { cse.Proof = unmarshalProof(info.Proof) - cse.Input = ToVariableSliceSliceFr[FR](info.Input) - cse.Output = ToVariableSliceSliceFr[FR](info.Output) + cse.Input = utils.ToVariableSliceSliceFr[FR](info.Input) + cse.Output = utils.ToVariableSliceSliceFr[FR](info.Output) cse.Hash = info.Hash cse.Name = path testCases[path] = cse @@ -266,7 +618,7 @@ func getCircuit(path string) (circuit CircuitEmulated[FR], err error) { if bytes, err = os.ReadFile(path); err == nil { var circuitInfo CircuitInfo if err = json.Unmarshal(bytes, &circuitInfo); err == nil { - circuit, err = toCircuitFr(circuitInfo) + circuit, err = toCircuitEmulated(circuitInfo) if err == nil { circuitCache[path] = circuit } @@ -275,7 +627,7 @@ func getCircuit(path string) (circuit CircuitEmulated[FR], err error) { return } -func toCircuitFr(c CircuitInfo) (circuit CircuitEmulated[FR], err error) { +func toCircuitEmulated(c CircuitInfo) (circuit CircuitEmulated[FR], err error) { circuit = make(CircuitEmulated[FR], len(c)) for i, wireInfo := range c { circuit[i].Inputs = make([]*WireEmulated[FR], len(wireInfo.Inputs)) @@ -285,7 +637,7 @@ func toCircuitFr(c CircuitInfo) (circuit CircuitEmulated[FR], err error) { } var found bool - if circuit[i].Gate, found = Gates[wireInfo.Gate]; !found && wireInfo.Gate != "" { + if circuit[i].Gate, found = GatesEmulated[wireInfo.Gate]; !found && wireInfo.Gate != "" { err = fmt.Errorf("undefined gate \"%s\"", wireInfo.Gate) } } @@ -296,7 +648,7 @@ func toCircuitFr(c CircuitInfo) (circuit CircuitEmulated[FR], err error) { type _select int func init() { - Gates["select-input-3"] = _select(2) + GatesEmulated["select-input-3"] = _select(2) } func (g _select) Evaluate(_ *sumcheck.EmuEngine[FR], in ...*emulated.Element[FR]) *emulated.Element[FR] { @@ -323,7 +675,7 @@ func unmarshalProof(printable PrintableProof) (proof Proofs[FR]) { finalEvalSlice := reflect.ValueOf(printable[i].FinalEvalProof) finalEvalProof := make(sumcheck.DeferredEvalProof[FR], finalEvalSlice.Len()) for k := range finalEvalProof { - finalEvalProof[k] = ToVariableFr[FR](finalEvalSlice.Index(k).Interface()) + finalEvalProof[k] = utils.ToVariableFr[FR](finalEvalSlice.Index(k).Interface()) } proof[i].FinalEvalProof = finalEvalProof } else { @@ -332,7 +684,7 @@ func unmarshalProof(printable PrintableProof) (proof Proofs[FR]) { proof[i].RoundPolyEvaluations = make([]mathpoly.Univariate[FR], len(printable[i].RoundPolyEvaluations)) for k := range printable[i].RoundPolyEvaluations { - proof[i].RoundPolyEvaluations[k] = ToVariableSliceFr[FR](printable[i].RoundPolyEvaluations[k]) + proof[i].RoundPolyEvaluations[k] = utils.ToVariableSliceFr[FR](printable[i].RoundPolyEvaluations[k]) } } return @@ -378,8 +730,8 @@ func TestTopSortSingleGate(t *testing.T) { c[0].Inputs = []*WireEmulated[FR]{&c[1], &c[2]} sorted := topologicalSortEmulated(c) expected := []*WireEmulated[FR]{&c[1], &c[2], &c[0]} - assert.True(t, SliceEqual(sorted, expected)) //TODO: Remove - AssertSliceEqual(t, sorted, expected) + assert.True(t, utils.SliceEqual(sorted, expected)) //TODO: Remove + utils.AssertSliceEqual(t, sorted, expected) assert.Equal(t, c[0].nbUniqueOutputs, 0) assert.Equal(t, c[1].nbUniqueOutputs, 1) assert.Equal(t, c[2].nbUniqueOutputs, 1) @@ -414,148 +766,49 @@ func TestTopSortWide(t *testing.T) { assert.Equal(t, sortedExpected, sorted) } -func ToVariableFr[FR emulated.FieldParams](v interface{}) emulated.Element[FR] { - switch vT := v.(type) { - case float64: - return *new(emulated.Field[FR]).NewElement(int(vT)) - default: - return *new(emulated.Field[FR]).NewElement(v) - } -} - -func ToVariableSliceFr[FR emulated.FieldParams, V any](slice []V) (variableSlice []emulated.Element[FR]) { - variableSlice = make([]emulated.Element[FR], len(slice)) - for i := range slice { - variableSlice[i] = ToVariableFr[FR](slice[i]) - } - return -} - -func ToVariableSliceSliceFr[FR emulated.FieldParams, V any](sliceSlice [][]V) (variableSliceSlice [][]emulated.Element[FR]) { - variableSliceSlice = make([][]emulated.Element[FR], len(sliceSlice)) - for i := range sliceSlice { - variableSliceSlice[i] = ToVariableSliceFr[FR](sliceSlice[i]) - } - return -} - -func AssertSliceEqual[T comparable](t *testing.T, expected, seen []T) { - assert.Equal(t, len(expected), len(seen)) - for i := range seen { - assert.True(t, expected[i] == seen[i], "@%d: %v != %v", i, expected[i], seen[i]) // assert.Equal is not strict enough when comparing pointers, i.e. it compares what they refer to - } -} - -func SliceEqual[T comparable](expected, seen []T) bool { - if len(expected) != len(seen) { - return false - } - for i := range seen { - if expected[i] != seen[i] { - return false - } - } - return true -} - -type HashDescription map[string]interface{} - -func HashFromDescription(api frontend.API, d HashDescription) (hash.FieldHasher, error) { - if _type, ok := d["type"]; ok { - switch _type { - case "const": - startState := int64(d["val"].(float64)) - return &MessageCounter{startState: startState, step: 0, state: startState, api: api}, nil - default: - return nil, fmt.Errorf("unknown fake hash type \"%s\"", _type) - } - } - return nil, fmt.Errorf("hash description missing type") -} - -type MessageCounter struct { - startState int64 - state int64 - step int64 - - // cheap trick to avoid unconstrained input errors - api frontend.API - zero frontend.Variable -} - -func (m *MessageCounter) Write(data ...frontend.Variable) { - - for i := range data { - sq1, sq2 := m.api.Mul(data[i], data[i]), m.api.Mul(data[i], data[i]) - m.zero = m.api.Sub(sq1, sq2, m.zero) - } - - m.state += int64(len(data)) * m.step -} - -func (m *MessageCounter) Sum() frontend.Variable { - return m.api.Add(m.state, m.zero) -} - -func (m *MessageCounter) Reset() { - m.zero = 0 - m.state = m.startState -} - -func NewMessageCounter(api frontend.API, startState, step int) hash.FieldHasher { - transcript := &MessageCounter{startState: int64(startState), state: int64(startState), step: int64(step), api: api} - return transcript -} - -func NewMessageCounterGenerator(startState, step int) func(frontend.API) hash.FieldHasher { - return func(api frontend.API) hash.FieldHasher { - return NewMessageCounter(api, startState, step) - } -} - -type constHashCircuit struct { - X frontend.Variable -} +// type constHashCircuit struct { +// X frontend.Variable +// } -func (c *constHashCircuit) Define(api frontend.API) error { - hsh := NewMessageCounter(api, 0, 0) - hsh.Reset() - hsh.Write(c.X) - sum := hsh.Sum() - api.AssertIsEqual(sum, 0) - api.AssertIsEqual(api.Mul(c.X, c.X), 1) // ensure we have at least 2 constraints - return nil -} +// func (c *constHashCircuit) Define(api frontend.API) error { +// hsh := utils.NewMessageCounter(api, 0, 0) +// hsh.Reset() +// hsh.Write(c.X) +// sum := hsh.Sum() +// api.AssertIsEqual(sum, 0) +// api.AssertIsEqual(api.Mul(c.X, c.X), 1) // ensure we have at least 2 constraints +// return nil +// } -func TestConstHash(t *testing.T) { - test.NewAssert(t).CheckCircuit( - &constHashCircuit{}, +// func TestConstHash(t *testing.T) { +// test.NewAssert(t).CheckCircuit( +// &constHashCircuit{}, - test.WithValidAssignment(&constHashCircuit{X: 1}), - ) -} +// test.WithValidAssignment(&constHashCircuit{X: 1}), +// ) +// } -var mimcSnarkTotalCalls = 0 +// var mimcSnarkTotalCalls = 0 -type MiMCCipherGate struct { - Ark frontend.Variable -} +// type MiMCCipherGate struct { +// Ark frontend.Variable +// } -func (m MiMCCipherGate) Evaluate(api frontend.API, input ...frontend.Variable) frontend.Variable { - mimcSnarkTotalCalls++ +// func (m MiMCCipherGate) Evaluate(api frontend.API, input ...frontend.Variable) frontend.Variable { +// mimcSnarkTotalCalls++ - if len(input) != 2 { - panic("mimc has fan-in 2") - } - sum := api.Add(input[0], input[1], m.Ark) +// if len(input) != 2 { +// panic("mimc has fan-in 2") +// } +// sum := api.Add(input[0], input[1], m.Ark) - sumCubed := api.Mul(sum, sum, sum) // sum^3 - return api.Mul(sumCubed, sumCubed, sum) -} +// sumCubed := api.Mul(sum, sum, sum) // sum^3 +// return api.Mul(sumCubed, sumCubed, sum) +// } -func (m MiMCCipherGate) Degree() int { - return 7 -} +// func (m MiMCCipherGate) Degree() int { +// return 7 +// } // type PrintableProof []PrintableSumcheckProof @@ -573,7 +826,7 @@ func (m MiMCCipherGate) Degree() int { // finalEvalSlice := reflect.ValueOf(printable[i].FinalEvalProof) // finalEvalProof = make([]fr.Element, finalEvalSlice.Len()) // for k := range finalEvalProof { -// if _, err := test_vector_utils.SetElement(&finalEvalProof[k], finalEvalSlice.Index(k).Interface()); err != nil { +// if _, err := utils.SetElement(&finalEvalProof[k], finalEvalSlice.Index(k).Interface()); err != nil { // return nil, err // } // } @@ -585,7 +838,7 @@ func (m MiMCCipherGate) Degree() int { // } // for k := range printable[i].PartialSumPolys { // var err error -// if proof[i].PartialSumPolys[k], err = test_vector_utils.SliceToElementSlice(printable[i].PartialSumPolys[k]); err != nil { +// if proof[i].PartialSumPolys[k], err = utils.SliceToElementSlice(printable[i].PartialSumPolys[k]); err != nil { // return nil, err // } // } @@ -602,7 +855,7 @@ func (m MiMCCipherGate) Degree() int { // } // type TestCaseInfo struct { -// Hash test_vector_utils.HashDescription `json:"hash"` +// Hash utils.HashDescription `json:"hash"` // Circuit string `json:"circuit"` // Input [][]interface{} `json:"input"` // Output [][]interface{} `json:"output"` @@ -633,7 +886,7 @@ func (m MiMCCipherGate) Degree() int { // return nil, err // } // var _hash hash.Hash -// if _hash, err = test_vector_utils.HashFromDescription(info.Hash); err != nil { +// if _hash, err = utils.HashFromDescription(info.Hash); err != nil { // return nil, err // } // var proof Proof @@ -664,7 +917,7 @@ func (m MiMCCipherGate) Degree() int { // } // if assignmentRaw != nil { // var wireAssignment []fr.Element -// if wireAssignment, err = test_vector_utils.SliceToElementSlice(assignmentRaw); err != nil { +// if wireAssignment, err = utils.SliceToElementSlice(assignmentRaw); err != nil { // return nil, err // } @@ -678,7 +931,7 @@ func (m MiMCCipherGate) Degree() int { // for _, w := range sorted { // if w.IsOutput() { -// if err = test_vector_utils.SliceEquals(inOutAssignment[w], fullAssignment[w]); err != nil { +// if err = utils.SliceEquals(inOutAssignment[w], fullAssignment[w]); err != nil { // return nil, fmt.Errorf("assignment mismatch: %v", err) // } diff --git a/std/recursion/gkr/utils/util.go b/std/recursion/gkr/utils/util.go new file mode 100644 index 0000000000..d285e5b771 --- /dev/null +++ b/std/recursion/gkr/utils/util.go @@ -0,0 +1,175 @@ +package utils + +import ( + "fmt" + "math/big" + "testing" + + "hash" + + "github.com/consensys/gnark/std/math/emulated" + "github.com/stretchr/testify/assert" +) + + +func ToVariableFr[FR emulated.FieldParams](v interface{}) emulated.Element[FR] { + switch vT := v.(type) { + case float64: + return *new(emulated.Field[FR]).NewElement(int(vT)) + default: + return *new(emulated.Field[FR]).NewElement(v) + } +} + +func ToVariableSliceFr[FR emulated.FieldParams, V any](slice []V) (variableSlice []emulated.Element[FR]) { + variableSlice = make([]emulated.Element[FR], len(slice)) + for i := range slice { + variableSlice[i] = ToVariableFr[FR](slice[i]) + } + return +} + +func ToVariableSliceSliceFr[FR emulated.FieldParams, V any](sliceSlice [][]V) (variableSliceSlice [][]emulated.Element[FR]) { + variableSliceSlice = make([][]emulated.Element[FR], len(sliceSlice)) + for i := range sliceSlice { + variableSliceSlice[i] = ToVariableSliceFr[FR](sliceSlice[i]) + } + return +} + +func AssertSliceEqual[T comparable](t *testing.T, expected, seen []T) { + assert.Equal(t, len(expected), len(seen)) + for i := range seen { + assert.True(t, expected[i] == seen[i], "@%d: %v != %v", i, expected[i], seen[i]) // assert.Equal is not strict enough when comparing pointers, i.e. it compares what they refer to + } +} + +func SliceEqual[T comparable](expected, seen []T) bool { + if len(expected) != len(seen) { + return false + } + for i := range seen { + if expected[i] != seen[i] { + return false + } + } + return true +} + +// type HashDescription map[string]interface{} + +// func HashFromDescription(api frontend.API, d HashDescription) (hash.FieldHasher, error) { +// if _type, ok := d["type"]; ok { +// switch _type { +// case "const": +// startState := int64(d["val"].(float64)) +// return &MessageCounter{startState: startState, step: 0, state: startState, api: api}, nil +// default: +// return nil, fmt.Errorf("unknown fake hash type \"%s\"", _type) +// } +// } +// return nil, fmt.Errorf("hash description missing type") +// } + +// type MessageCounter struct { +// startState int64 +// state int64 +// step int64 + +// // cheap trick to avoid unconstrained input errors +// api frontend.API +// zero frontend.Variable +// } + +// func (m *MessageCounter) Write(data ...frontend.Variable) { + +// for i := range data { +// sq1, sq2 := m.api.Mul(data[i], data[i]), m.api.Mul(data[i], data[i]) +// m.zero = m.api.Sub(sq1, sq2, m.zero) +// } + +// m.state += int64(len(data)) * m.step +// } + +// func (m *MessageCounter) Sum() frontend.Variable { +// return m.api.Add(m.state, m.zero) +// } + +// func (m *MessageCounter) Reset() { +// m.zero = 0 +// m.state = m.startState +// } + +// func NewMessageCounter(api frontend.API, startState, step int) hash.FieldHasher { +// transcript := &MessageCounter{startState: int64(startState), state: int64(startState), step: int64(step), api: api} +// return transcript +// } + +// func NewMessageCounterGenerator(startState, step int) func(frontend.API) hash.FieldHasher { +// return func(api frontend.API) hash.FieldHasher { +// return NewMessageCounter(api, startState, step) +// } +// } + +type HashDescription map[string]interface{} + +func HashFromDescription(d HashDescription) (hash.Hash, error) { + if _type, ok := d["type"]; ok { + switch _type { + case "const": + startState := int64(d["val"].(float64)) + return &MessageCounter{startState: startState, step: 0, state: startState}, nil + default: + return nil, fmt.Errorf("unknown fake hash type \"%s\"", _type) + } + } + return nil, fmt.Errorf("hash description missing type") +} + +type MessageCounter struct { + startState int64 + state int64 + step int64 +} + +func (m *MessageCounter) Write(p []byte) (n int, err error) { + var temp big.Int + inputBlockSize := (len(p)-1)/len(temp.Bytes()) + 1 + m.state += int64(inputBlockSize) * m.step + return len(p), nil +} + +func (m *MessageCounter) Sum(b []byte) []byte { + var temp big.Int + inputBlockSize := (len(b)-1)/len(temp.Bytes()) + 1 + resI := m.state + int64(inputBlockSize)*m.step + var res big.Int + res.SetInt64(int64(resI)) + resBytes := res.Bytes() + return resBytes[:] +} + +func (m *MessageCounter) Reset() { + m.state = m.startState +} + +func (m *MessageCounter) Size() int { + var temp big.Int + return len(temp.Bytes()) +} + +func (m *MessageCounter) BlockSize() int { + var temp big.Int + return len(temp.Bytes()) +} + +func NewMessageCounter(startState, step int) hash.Hash { + transcript := &MessageCounter{startState: int64(startState), state: int64(startState), step: int64(step)} + return transcript +} + +func NewMessageCounterGenerator(startState, step int) func() hash.Hash { + return func() hash.Hash { + return NewMessageCounter(startState, step) + } +} \ No newline at end of file From 6670c2dc963fb9487add3ed4dcf638cb4ee883c9 Mon Sep 17 00:00:00 2001 From: ak36 Date: Fri, 21 Jun 2024 12:58:54 -0400 Subject: [PATCH 16/26] testgkrvector fails, debug --- std/fiat-shamir/settings.go | 27 ++- std/math/emulated/field.go | 40 +++- std/math/emulated/field_assert.go | 8 +- std/recursion/gkr/gkr_nonnative.go | 22 +- std/recursion/gkr/gkr_nonnative_test.go | 200 ++++++++++++++---- std/recursion/gkr/utils/util.go | 58 ++++- std/recursion/sumcheck/proof.go | 18 +- .../sumcheck/scalarmul_gates_test.go | 4 +- std/recursion/sumcheck/sumcheck_test.go | 4 +- 9 files changed, 315 insertions(+), 66 deletions(-) diff --git a/std/fiat-shamir/settings.go b/std/fiat-shamir/settings.go index eaf8bae24f..cc39cb52f4 100644 --- a/std/fiat-shamir/settings.go +++ b/std/fiat-shamir/settings.go @@ -5,9 +5,17 @@ import ( gohash "hash" "github.com/consensys/gnark/std/hash" "github.com/consensys/gnark/std/math/emulated" + "github.com/consensys/gnark/frontend" ) type Settings struct { + Transcript *Transcript + Prefix string + BaseChallenges []frontend.Variable + Hash hash.FieldHasher +} + +type SettingsBigInt struct { Transcript *Transcript Prefix string BaseChallenges []big.Int @@ -21,7 +29,7 @@ type SettingsEmulated[FR emulated.FieldParams] struct { Hash hash.FieldHasher } -func WithTranscript(transcript *Transcript, prefix string, baseChallenges ...big.Int) Settings { +func WithTranscript(transcript *Transcript, prefix string, baseChallenges ...frontend.Variable) Settings { return Settings{ Transcript: transcript, Prefix: prefix, @@ -29,6 +37,14 @@ func WithTranscript(transcript *Transcript, prefix string, baseChallenges ...big } } +func WithTranscriptBigInt(transcript *Transcript, prefix string, baseChallenges ...big.Int) SettingsBigInt { + return SettingsBigInt{ + Transcript: transcript, + Prefix: prefix, + BaseChallenges: baseChallenges, + } +} + func WithTranscriptFr[FR emulated.FieldParams](transcript *Transcript, prefix string, baseChallenges ...emulated.Element[FR]) SettingsEmulated[FR] { return SettingsEmulated[FR]{ Transcript: transcript, @@ -37,13 +53,20 @@ func WithTranscriptFr[FR emulated.FieldParams](transcript *Transcript, prefix st } } -func WithHash(hash gohash.Hash, baseChallenges ...big.Int) Settings { +func WithHash(hash hash.FieldHasher, baseChallenges ...frontend.Variable) Settings { return Settings{ BaseChallenges: baseChallenges, Hash: hash, } } +func WithHashBigInt(hash gohash.Hash, baseChallenges ...big.Int) SettingsBigInt { + return SettingsBigInt{ + BaseChallenges: baseChallenges, + Hash: hash, + } +} + func WithHashFr[FR emulated.FieldParams](hash hash.FieldHasher, baseChallenges ...emulated.Element[FR]) SettingsEmulated[FR] { return SettingsEmulated[FR]{ BaseChallenges: baseChallenges, diff --git a/std/math/emulated/field.go b/std/math/emulated/field.go index 6c1f19b04d..c478d567b8 100644 --- a/std/math/emulated/field.go +++ b/std/math/emulated/field.go @@ -239,13 +239,47 @@ func (f *Field[T]) enforceWidthConditional(a *Element[T]) (didConstrain bool) { return } +// func (f *Field[T]) constantValue(v *Element[T]) (*big.Int, bool) { +// var ok bool + +// constLimbs := make([]*big.Int, len(v.Limbs)) +// println("v.Limbs", v.Limbs) +// for i, l := range v.Limbs { +// // for each limb we get it's constant value if we can, or fail. +// if constLimbs[i], ok = f.api.Compiler().ConstantValue(l); !ok { +// return nil, false +// } +// } +// println("start_recompose") +// res := new(big.Int) +// if err := recompose(constLimbs, f.fParams.BitsPerLimb(), res); err != nil { +// f.log.Error().Err(err).Msg("recomposing constant") +// return nil, false +// } +// return res, true +// } + func (f *Field[T]) constantValue(v *Element[T]) (*big.Int, bool) { - var ok bool + if v == nil { + f.log.Error().Msg("constantValue: input element is nil") + return nil, false + } + if v.Limbs == nil { + f.log.Error().Msg("constantValue: input element limbs are nil") + return nil, false + } + var ok bool + println("len(v.Limbs)", len(v.Limbs)) constLimbs := make([]*big.Int, len(v.Limbs)) for i, l := range v.Limbs { - // for each limb we get it's constant value if we can, or fail. - if constLimbs[i], ok = f.api.ConstantValue(l); !ok { + if l == nil { + f.log.Error().Msgf("constantValue: limb %d is nil", i) + return nil, false + } + // for each limb we get its constant value if we can, or fail. + if constLimbs[i], ok = f.api.Compiler().ConstantValue(l); !ok { + f.log.Error().Msgf("constantValue: failed to get constant value for limb %d", i) return nil, false } } diff --git a/std/math/emulated/field_assert.go b/std/math/emulated/field_assert.go index 5c2c700663..0dc303d32f 100644 --- a/std/math/emulated/field_assert.go +++ b/std/math/emulated/field_assert.go @@ -32,10 +32,14 @@ func (f *Field[T]) enforceWidth(a *Element[T], modWidth bool) { // AssertIsEqual ensures that a is equal to b modulo the modulus. func (f *Field[T]) AssertIsEqual(a, b *Element[T]) { - f.enforceWidthConditional(a) - f.enforceWidthConditional(b) + constrain_a := f.enforceWidthConditional(a) + constrain_b := f.enforceWidthConditional(b) + println("constrain_a", constrain_a) + println("constrain_b", constrain_b) ba, aConst := f.constantValue(a) + println("aConst", aConst) bb, bConst := f.constantValue(b) + println("bConst", bConst) if aConst && bConst { ba.Mod(ba, f.fParams.Modulus()) bb.Mod(bb, f.fParams.Modulus()) diff --git a/std/recursion/gkr/gkr_nonnative.go b/std/recursion/gkr/gkr_nonnative.go index e73e88bedc..07d5de24a1 100644 --- a/std/recursion/gkr/gkr_nonnative.go +++ b/std/recursion/gkr/gkr_nonnative.go @@ -213,6 +213,8 @@ func (e *eqTimesGateEvalSumcheckLazyClaimsEmulated[FR]) AssertEvaluation(r []*em if err != nil { return fmt.Errorf("evaluation error: %w", err) } + println("val", val) + println("expectedValue", expectedValue) field.AssertIsEqual(val, expectedValue) return nil } @@ -284,13 +286,14 @@ func (m *claimsManager) add(wire *Wire, evaluationPoint []big.Int, evaluation bi claim.evaluationPoints = append(claim.evaluationPoints, evaluationPoint) } -func (m *claimsManager) getClaim(wire *Wire) *eqTimesGateEvalSumcheckClaims { +func (m *claimsManager) getClaim(engine *sumcheck.BigIntEngine, wire *Wire) *eqTimesGateEvalSumcheckClaims { lazy := m.claimsMap[wire] res := &eqTimesGateEvalSumcheckClaims{ wire: wire, evaluationPoints: lazy.evaluationPoints, claimedEvaluations: lazy.claimedEvaluations, manager: m, + engine: engine, } if wire.IsInput() { @@ -408,7 +411,7 @@ func (c *eqTimesGateEvalSumcheckClaims) computeGJ() sumcheck.NativePolynomial { nbInner := len(s) // wrt output, which has high nbOuter and low nbInner nbOuter := len(s[0]) / 2 - gJ := make([]*big.Int, degGJ) + gJ := make([]big.Int, degGJ) var mu sync.Mutex computeAll := func(start, end int) { var step big.Int @@ -417,7 +420,6 @@ func (c *eqTimesGateEvalSumcheckClaims) computeGJ() sumcheck.NativePolynomial { operands := make([]big.Int, degGJ*nbInner) for i := start; i < end; i++ { - block := nbOuter + i for j := 0; j < nbInner; j++ { step.Set(s[j][i]) @@ -439,7 +441,7 @@ func (c *eqTimesGateEvalSumcheckClaims) computeGJ() sumcheck.NativePolynomial { } mu.Lock() for i := 0; i < len(gJ); i++ { - gJ[i].Add(gJ[i], &res[i]) + gJ[i].Add(&gJ[i], &res[i]) } mu.Unlock() } @@ -453,7 +455,7 @@ func (c *eqTimesGateEvalSumcheckClaims) computeGJ() sumcheck.NativePolynomial { // Perf-TODO: Separate functions Gate.TotalDegree and Gate.Degree(i) so that we get to use possibly smaller values for degGJ. Won't help with MiMC though - return gJ + return sumcheck.ReferenceBigIntSlice(gJ) } // Next first folds the "preprocessing" and "eq" polynomials then compute the new g_j @@ -816,7 +818,7 @@ func (v *GKRVerifier[FR]) getChallengesFr(transcript *fiatshamir.Transcript, nam } // Prove consistency of the claimed assignment -func Prove(current *big.Int, target *big.Int, c Circuit, assignment WireAssignment, transcriptSettings fiatshamir.Settings, options ...OptionGkr) (NativeProofs, error) { +func Prove(current *big.Int, target *big.Int, c Circuit, assignment WireAssignment, transcriptSettings fiatshamir.SettingsBigInt, options ...OptionGkr) (NativeProofs, error) { be := sumcheck.NewBigIntEngine(target) o, err := setup(current, target, c, assignment, options...) if err != nil { @@ -846,7 +848,7 @@ func Prove(current *big.Int, target *big.Int, c Circuit, assignment WireAssignme claims.add(wire, sumcheck.DereferenceBigIntSlice(firstChallenge), *evaluation) } - claim := claims.getClaim(wire) + claim := claims.getClaim(be, wire) if wire.noProof() { // input wires with one claim only proof[i] = sumcheck.NativeProof{ RoundPolyEvaluations: []sumcheck.NativePolynomial{}, @@ -859,9 +861,11 @@ func Prove(current *big.Int, target *big.Int, c Circuit, assignment WireAssignme return proof, err } - finalEvalProof := proof[i].FinalEvalProof.([]*big.Int) + finalEvalProof := proof[i].FinalEvalProof.([]big.Int) baseChallenge = make([]*big.Int, len(finalEvalProof)) - copy(baseChallenge, finalEvalProof) + for i := range finalEvalProof { + baseChallenge[i] = &finalEvalProof[i] + } } // the verifier checks a single claim about input wires itself claims.deleteClaim(wire) diff --git a/std/recursion/gkr/gkr_nonnative_test.go b/std/recursion/gkr/gkr_nonnative_test.go index 07db6e3e31..65deda3c41 100644 --- a/std/recursion/gkr/gkr_nonnative_test.go +++ b/std/recursion/gkr/gkr_nonnative_test.go @@ -16,20 +16,16 @@ import ( fiatshamir "github.com/consensys/gnark/std/fiat-shamir" "github.com/consensys/gnark/std/recursion/gkr/utils" "github.com/consensys/gnark/std/math/emulated" - mathpoly "github.com/consensys/gnark/std/math/polynomial" + "github.com/consensys/gnark/std/math/polynomial" + "github.com/consensys/gnark/frontend/cs/scs" + //"github.com/consensys/gnark/std/hash" "github.com/consensys/gnark/std/recursion" "github.com/consensys/gnark/std/recursion/sumcheck" "github.com/consensys/gnark/test" "github.com/stretchr/testify/assert" ) -type FR = emulated.BN254Fp - -var GatesEmulated = map[string]GateEmulated[FR]{ - "identity": IdentityGate[*sumcheck.EmuEngine[FR], *emulated.Element[FR]]{}, - "add": AddGate[*sumcheck.EmuEngine[FR], *emulated.Element[FR]]{}, - "mul": MulGate[*sumcheck.EmuEngine[FR], *emulated.Element[FR]]{}, -} +// type FR = emulated.BN254Fp var Gates = map[string]Gate{ "identity": IdentityGate[*sumcheck.BigIntEngine, *big.Int]{}, @@ -46,11 +42,6 @@ var Gates = map[string]Gate{ // testManyInstances(t, 1, testNoGate) // } -func TestSingleAddGateTwoInstances(t *testing.T) { - current := ecc.BN254.ScalarField() - var fr FR - testSingleAddGate(t, current, fr.Modulus(), []*big.Int{&four, &three}, []*big.Int{&two, &three}) -} // func TestSingleAddGate(t *testing.T) { // testManyInstances(t, 2, testSingleAddGate) @@ -215,18 +206,74 @@ var one, two, three, four, five, six big.Int // assert.NoError(t, err, "proof rejected") // } -func testSingleAddGate(t *testing.T, current *big.Int, target *big.Int, inputAssignments ...[]*big.Int) { +func toEmulated[FR emulated.FieldParams](input [][]*big.Int) [][]emulated.Element[FR] { + output := make([][]emulated.Element[FR], len(input)) + for i, in := range input { + output[i] = make([]emulated.Element[FR], len(in)) + for j, in2 := range in { + output[i][j] = emulated.ValueOf[FR](*in2) + } + } + return output +} + +func TestSingleAddGateTwoInstances(t *testing.T) { + current := ecc.BN254.ScalarField() + type FR = emulated.BN254Fp + var fr FR + testSingleAddGate[FR](t, current, fr.Modulus(), []*big.Int{&four, &three}, []*big.Int{&two, &three}) +} + +func testSingleAddGate[FR emulated.FieldParams](t *testing.T, current *big.Int, target *big.Int, inputAssignments ...[]*big.Int) { c := make(Circuit, 3) c[2] = Wire{ Gate: Gates["add"], Inputs: []*Wire{&c[0], &c[1]}, } + //assert := test.NewAssert(t) + be := sumcheck.NewBigIntEngine(current) + output := make([][]*big.Int, len(inputAssignments)) + for i, in := range inputAssignments { + output[i] = make([]*big.Int, len(in)) + for j, in2 := range in { + output[i][j] = Gates["add"].Evaluate(be, in2) + } + } + assignment := WireAssignment{&c[0]: inputAssignments[0], &c[1]: inputAssignments[1]}.Complete(c, target) - proof, err := Prove(current, target, c, assignment, fiatshamir.WithHash(utils.NewMessageCounter(1, 1))) + proof, err := Prove(current, target, c, assignment, fiatshamir.WithHashBigInt(utils.NewMessageCounter(1, 1))) assert.NoError(t, err) - fmt.Println(proof) + + proofEmulated := make(Proofs[FR], len(proof)) + for i, proof := range proof { + proofEmulated[i] = sumcheck.ValueOfProof[FR](proof) + } + + assignmentGkr := &GkrVerifierCircuitEmulated[FR]{ + Input: toEmulated[FR](inputAssignments), + Output: toEmulated[FR](output), + SerializedProof: proofEmulated.Serialize(), + ToFail: false, + } + + validCircuit := &GkrVerifierCircuitEmulated[FR]{ + Input: make([][]emulated.Element[FR], len(toEmulated[FR](inputAssignments))), + Output: make([][]emulated.Element[FR], len(toEmulated[FR](output))), + SerializedProof: make([]emulated.Element[FR], len(proofEmulated)), + ToFail: false, + } + + println("start_isSolved") + err = test.IsSolved(validCircuit, assignmentGkr, current) + println("err", err) + //assert.NoError(t, err) + _, err = frontend.Compile(ecc.BN254.ScalarField(), scs.NewBuilder, validCircuit) + println("err", err) + + + //t.Run("testSingleAddGate", generateVerifier(toEmulated(inputAssignments), toEmulated(output), proofEmulated)) // err = Verify(c, assignment, proof, fiatshamir.WithHash(utils.NewMessageCounter(1, 1))) // assert.NoError(t, err, "proof rejected") @@ -235,6 +282,18 @@ func testSingleAddGate(t *testing.T, current *big.Int, target *big.Int, inputAss // assert.NotNil(t, err, "bad proof accepted") } +// func TestMulGate1Sumcheck(t *testing.T) { +// testMulGate1SumcheckInstance[emparams.BN254Fr](t, ecc.BN254.ScalarField(), [][]int{{4, 3}, {2, 3}}) +// testMulGate1SumcheckInstance[emparams.BN254Fr](t, ecc.BN254.ScalarField(), [][]int{{1, 2, 3, 4}, {5, 6, 7, 8}}) +// testMulGate1SumcheckInstance[emparams.BN254Fr](t, ecc.BN254.ScalarField(), [][]int{{1, 2, 3, 4, 5, 6, 7, 8}, {11, 12, 13, 14, 15, 16, 17, 18}}) +// inputs := [][]int{{1}, {2}} +// for i := 1; i < (1 << 10); i++ { +// inputs[0] = append(inputs[0], inputs[0][i-1]+1) +// inputs[1] = append(inputs[1], inputs[1][i-1]+2) +// } +// testMulGate1SumcheckInstance[emparams.BN254Fr](t, ecc.BN254.ScalarField(), inputs) +// } + // func testSingleMulGate(t *testing.T, inputAssignments ...[]fr.Element) { // c := make(Circuit, 3) @@ -403,7 +462,7 @@ func TestGkrVectorsFr(t *testing.T) { path := filepath.Join(testDirPath, dirEntry.Name()) noExt := dirEntry.Name()[:len(dirEntry.Name())-len(".json")] - t.Run(noExt, generateTestVerifier(path)) + t.Run(noExt, generateTestVerifier[emulated.BN254Fr](path)) } } } @@ -419,7 +478,45 @@ func noSuccess(o *_options) { o.noSuccess = true } -func generateTestVerifier(path string, options ...option) func(t *testing.T) { +func generateVerifier[FR emulated.FieldParams](Input [][]emulated.Element[FR], Output [][]emulated.Element[FR], Proof Proofs[FR]) func(t *testing.T) { + + return func(t *testing.T) { + + assert := test.NewAssert(t) + + assignment := &GkrVerifierCircuitEmulated[FR]{ + Input: Input, + Output: Output, + SerializedProof: Proof.Serialize(), + ToFail: false, + } + + validCircuit := &GkrVerifierCircuitEmulated[FR]{ + Input: make([][]emulated.Element[FR], len(Input)), + Output: make([][]emulated.Element[FR], len(Output)), + SerializedProof: make([]emulated.Element[FR], len(assignment.SerializedProof)), + ToFail: false, + } + + invalidCircuit := &GkrVerifierCircuitEmulated[FR]{ + Input: make([][]emulated.Element[FR], len(Input)), + Output: make([][]emulated.Element[FR], len(Output)), + SerializedProof: make([]emulated.Element[FR], len(assignment.SerializedProof)), + ToFail: true, + } + + fillWithBlanks(validCircuit.Input, len(Input[0])) + fillWithBlanks(validCircuit.Output, len(Input[0])) + fillWithBlanks(invalidCircuit.Input, len(Input[0])) + fillWithBlanks(invalidCircuit.Output, len(Input[0])) + + assert.CheckCircuit(validCircuit, test.WithCurves(ecc.BN254), test.WithBackends(backend.GROTH16), test.WithValidAssignment(assignment)) + //assert.CheckCircuit(invalidCircuit, test.WithCurves(ecc.BN254), test.WithBackends(backend.GROTH16), test.WithInvalidAssignment(assignment)) + } +} + + +func generateTestVerifier[FR emulated.FieldParams](path string, options ...option) func(t *testing.T) { var opts _options for _, opt := range options { opt(&opts) @@ -427,11 +524,11 @@ func generateTestVerifier(path string, options ...option) func(t *testing.T) { return func(t *testing.T) { - testCase, err := getTestCase(path) + testCase, err := getTestCase[FR](path) assert := test.NewAssert(t) assert.NoError(err) - assignment := &GkrVerifierCircuitEmulated{ + assignment := &GkrVerifierCircuitEmulated[FR]{ Input: testCase.Input, Output: testCase.Output, SerializedProof: testCase.Proof.Serialize(), @@ -439,7 +536,7 @@ func generateTestVerifier(path string, options ...option) func(t *testing.T) { TestCaseName: path, } - validCircuit := &GkrVerifierCircuitEmulated{ + validCircuit := &GkrVerifierCircuitEmulated[FR]{ Input: make([][]emulated.Element[FR], len(testCase.Input)), Output: make([][]emulated.Element[FR], len(testCase.Output)), SerializedProof: make([]emulated.Element[FR], len(assignment.SerializedProof)), @@ -447,7 +544,7 @@ func generateTestVerifier(path string, options ...option) func(t *testing.T) { TestCaseName: path, } - invalidCircuit := &GkrVerifierCircuitEmulated{ + invalidCircuit := &GkrVerifierCircuitEmulated[FR]{ Input: make([][]emulated.Element[FR], len(testCase.Input)), Output: make([][]emulated.Element[FR], len(testCase.Output)), SerializedProof: make([]emulated.Element[FR], len(assignment.SerializedProof)), @@ -470,7 +567,7 @@ func generateTestVerifier(path string, options ...option) func(t *testing.T) { } } -type GkrVerifierCircuitEmulated struct { +type GkrVerifierCircuitEmulated[FR emulated.FieldParams] struct { Input [][]emulated.Element[FR] Output [][]emulated.Element[FR] `gnark:",public"` SerializedProof []emulated.Element[FR] @@ -478,7 +575,7 @@ type GkrVerifierCircuitEmulated struct { TestCaseName string } -func (c *GkrVerifierCircuitEmulated) Define(api frontend.API) error { +func (c *GkrVerifierCircuitEmulated[FR]) Define(api frontend.API) error { var fr FR var testCase *TestCase[FR] var proof Proofs[FR] @@ -489,8 +586,8 @@ func (c *GkrVerifierCircuitEmulated) Define(api frontend.API) error { return fmt.Errorf("new verifier: %w", err) } - //var proofRef Proof - if testCase, err = getTestCase(c.TestCaseName); err != nil { + // var proofRef Proof + if testCase, err = getTestCase[FR](c.TestCaseName); err != nil { return err } sorted := topologicalSortEmulated(testCase.Circuit) @@ -558,7 +655,7 @@ type TestCaseInfo struct { // var testCases = make(map[string]*TestCase[emulated.FieldParams]) var testCases = make(map[string]interface{}) -func getTestCase(path string) (*TestCase[FR], error) { +func getTestCase[FR emulated.FieldParams](path string) (*TestCase[FR], error) { path, err := filepath.Abs(path) if err != nil { return nil, err @@ -576,11 +673,11 @@ func getTestCase(path string) (*TestCase[FR], error) { return nil, err } - if cse.Circuit, err = getCircuit(filepath.Join(dir, info.Circuit)); err != nil { + if cse.Circuit, err = getCircuit[FR](filepath.Join(dir, info.Circuit)); err != nil { return nil, err } - cse.Proof = unmarshalProof(info.Proof) + cse.Proof = unmarshalProof[FR](info.Proof) cse.Input = utils.ToVariableSliceSliceFr[FR](info.Input) cse.Output = utils.ToVariableSliceSliceFr[FR](info.Output) @@ -605,7 +702,7 @@ type CircuitInfo []WireInfo // var circuitCache = make(map[string]CircuitFr[emulated.FieldParams]) var circuitCache = make(map[string]interface{}) -func getCircuit(path string) (circuit CircuitEmulated[FR], err error) { +func getCircuit[FR emulated.FieldParams](path string) (circuit CircuitEmulated[FR], err error) { path, err = filepath.Abs(path) if err != nil { return @@ -618,7 +715,7 @@ func getCircuit(path string) (circuit CircuitEmulated[FR], err error) { if bytes, err = os.ReadFile(path); err == nil { var circuitInfo CircuitInfo if err = json.Unmarshal(bytes, &circuitInfo); err == nil { - circuit, err = toCircuitEmulated(circuitInfo) + circuit, err = toCircuitEmulated[FR](circuitInfo) if err == nil { circuitCache[path] = circuit } @@ -627,7 +724,13 @@ func getCircuit(path string) (circuit CircuitEmulated[FR], err error) { return } -func toCircuitEmulated(c CircuitInfo) (circuit CircuitEmulated[FR], err error) { +func toCircuitEmulated[FR emulated.FieldParams](c CircuitInfo) (circuit CircuitEmulated[FR], err error) { + var GatesEmulated = map[string]GateEmulated[FR]{ + "identity": IdentityGate[*sumcheck.EmuEngine[FR], *emulated.Element[FR]]{}, + "add": AddGate[*sumcheck.EmuEngine[FR], *emulated.Element[FR]]{}, + "mul": MulGate[*sumcheck.EmuEngine[FR], *emulated.Element[FR]]{}, + } + circuit = make(CircuitEmulated[FR], len(c)) for i, wireInfo := range c { circuit[i].Inputs = make([]*WireEmulated[FR], len(wireInfo.Inputs)) @@ -645,17 +748,23 @@ func toCircuitEmulated(c CircuitInfo) (circuit CircuitEmulated[FR], err error) { return } -type _select int +type _select[FR emulated.FieldParams] int -func init() { - GatesEmulated["select-input-3"] = _select(2) -} +// func init() { +// var GatesEmulated = map[string]GateEmulated[FR]{ +// "identity": IdentityGate[*sumcheck.EmuEngine[FR], *emulated.Element[FR]]{}, +// "add": AddGate[*sumcheck.EmuEngine[FR], *emulated.Element[FR]]{}, +// "mul": MulGate[*sumcheck.EmuEngine[FR], *emulated.Element[FR]]{}, +// } + +// GatesEmulated["select-input-3"] = _select[FR](2) +// } -func (g _select) Evaluate(_ *sumcheck.EmuEngine[FR], in ...*emulated.Element[FR]) *emulated.Element[FR] { +func (g _select[FR]) Evaluate(_ *sumcheck.EmuEngine[FR], in ...*emulated.Element[FR]) *emulated.Element[FR] { return in[g] } -func (g _select) Degree() int { +func (g _select[FR]) Degree() int { return 1 } @@ -666,7 +775,7 @@ type PrintableSumcheckProof struct { RoundPolyEvaluations [][]interface{} `json:"partialSumPolys"` } -func unmarshalProof(printable PrintableProof) (proof Proofs[FR]) { +func unmarshalProof[FR emulated.FieldParams](printable PrintableProof) (proof Proofs[FR]) { proof = make(Proofs[FR], len(printable)) for i := range printable { @@ -682,7 +791,7 @@ func unmarshalProof(printable PrintableProof) (proof Proofs[FR]) { proof[i].FinalEvalProof = nil } - proof[i].RoundPolyEvaluations = make([]mathpoly.Univariate[FR], len(printable[i].RoundPolyEvaluations)) + proof[i].RoundPolyEvaluations = make([]polynomial.Univariate[FR], len(printable[i].RoundPolyEvaluations)) for k := range printable[i].RoundPolyEvaluations { proof[i].RoundPolyEvaluations[k] = utils.ToVariableSliceFr[FR](printable[i].RoundPolyEvaluations[k]) } @@ -691,10 +800,10 @@ func unmarshalProof(printable PrintableProof) (proof Proofs[FR]) { } func TestLogNbInstances(t *testing.T) { - + type FR = emulated.BN254Fp testLogNbInstances := func(path string) func(t *testing.T) { return func(t *testing.T) { - testCase, err := getTestCase(path) + testCase, err := getTestCase[FR](path) assert.NoError(t, err) wires := topologicalSortEmulated(testCase.Circuit) serializedProof := testCase.Proof.Serialize() @@ -711,7 +820,8 @@ func TestLogNbInstances(t *testing.T) { } func TestLoadCircuit(t *testing.T) { - c, err := getCircuit("test_vectors/resources/two_identity_gates_composed_single_input.json") + type FR = emulated.BN254Fp + c, err := getCircuit[FR]("test_vectors/resources/two_identity_gates_composed_single_input.json") assert.NoError(t, err) assert.Equal(t, []*WireEmulated[FR]{}, c[0].Inputs) assert.Equal(t, []*WireEmulated[FR]{&c[0]}, c[1].Inputs) @@ -719,6 +829,7 @@ func TestLoadCircuit(t *testing.T) { } func TestTopSortTrivial(t *testing.T) { + type FR = emulated.BN254Fp c := make(CircuitEmulated[FR], 2) c[0].Inputs = []*WireEmulated[FR]{&c[1]} sorted := topologicalSortEmulated(c) @@ -726,6 +837,7 @@ func TestTopSortTrivial(t *testing.T) { } func TestTopSortSingleGate(t *testing.T) { + type FR = emulated.BN254Fp c := make(CircuitEmulated[FR], 3) c[0].Inputs = []*WireEmulated[FR]{&c[1], &c[2]} sorted := topologicalSortEmulated(c) @@ -738,6 +850,7 @@ func TestTopSortSingleGate(t *testing.T) { } func TestTopSortDeep(t *testing.T) { + type FR = emulated.BN254Fp c := make(CircuitEmulated[FR], 4) c[0].Inputs = []*WireEmulated[FR]{&c[2]} c[1].Inputs = []*WireEmulated[FR]{&c[3]} @@ -748,6 +861,7 @@ func TestTopSortDeep(t *testing.T) { } func TestTopSortWide(t *testing.T) { + type FR = emulated.BN254Fp c := make(CircuitEmulated[FR], 10) c[0].Inputs = []*WireEmulated[FR]{&c[3], &c[8]} c[1].Inputs = []*WireEmulated[FR]{&c[6]} diff --git a/std/recursion/gkr/utils/util.go b/std/recursion/gkr/utils/util.go index d285e5b771..068fa6d0a5 100644 --- a/std/recursion/gkr/utils/util.go +++ b/std/recursion/gkr/utils/util.go @@ -172,4 +172,60 @@ func NewMessageCounterGenerator(startState, step int) func() hash.Hash { return func() hash.Hash { return NewMessageCounter(startState, step) } -} \ No newline at end of file +} + +// type HashDescriptionEmulated map[string]interface{} + +// func HashFromDescriptionEmulated(api frontend.API, d HashDescriptionEmulated) (hash.FieldHasher, error) { +// if _type, ok := d["type"]; ok { +// switch _type { +// case "const": +// startState := int64(d["val"].(float64)) +// return &MessageCounter{startState: startState, step: 0, state: startState, api: api}, nil +// default: +// return nil, fmt.Errorf("unknown fake hash type \"%s\"", _type) +// } +// } +// return nil, fmt.Errorf("hash description missing type") +// } + +// type MessageCounterEmulated struct { +// startState int64 +// state int64 +// step int64 + + +// // cheap trick to avoid unconstrained input errors +// api frontend.API +// zero frontend.Variable +// } + +// func (m *MessageCounterEmulated) Write(data ...frontend.Variable) { + +// for i := range data { +// sq1, sq2 := m.api.Mul(data[i], data[i]), m.api.Mul(data[i], data[i]) +// m.zero = m.api.Sub(sq1, sq2, m.zero) +// } + +// m.state += int64(len(data)) * m.step +// } + +// func (m *MessageCounterEmulated) Sum() frontend.Variable { +// return m.api.Add(m.state, m.zero) +// } + +// func (m *MessageCounterEmulated) Reset() { +// m.zero = 0 +// m.state = m.startState +// } + +// func NewMessageCounterEmulated(api frontend.API, startState, step int) hash.FieldHasher { +// transcript := &MessageCounterEmulated{startState: int64(startState), state: int64(startState), step: int64(step), api: api} +// return transcript +// } + +// func NewMessageCounterGeneratorEmulated(startState, step int) func(frontend.API) hash.FieldHasher { +// return func(api frontend.API) hash.FieldHasher { +// return NewMessageCounterEmulated(api, startState, step) +// } +// } \ No newline at end of file diff --git a/std/recursion/sumcheck/proof.go b/std/recursion/sumcheck/proof.go index 304aef6bac..bf1f93bdce 100644 --- a/std/recursion/sumcheck/proof.go +++ b/std/recursion/sumcheck/proof.go @@ -1,6 +1,8 @@ package sumcheck import ( + "math/big" + "github.com/consensys/gnark/std/math/emulated" "github.com/consensys/gnark/std/math/polynomial" ) @@ -32,14 +34,26 @@ type DeferredEvalProof[FR emulated.FieldParams] []emulated.Element[FR] type NativeEvaluationProof any -func valueOfProof[FR emulated.FieldParams](nproof NativeProof) Proof[FR] { +func ValueOfProof[FR emulated.FieldParams](nproof NativeProof) Proof[FR] { rps := make([]polynomial.Univariate[FR], len(nproof.RoundPolyEvaluations)) + finaleval := nproof.FinalEvalProof + if finaleval != nil { + switch v := finaleval.(type) { + case []big.Int: + deferredEval := make(DeferredEvalProof[FR], len(v)) + for i := range v { + deferredEval[i] = emulated.ValueOf[FR](v[i]) + } + finaleval = deferredEval + } + } for i := range nproof.RoundPolyEvaluations { rps[i] = polynomial.ValueOfUnivariate[FR](nproof.RoundPolyEvaluations[i]) } - // TODO: type switch FinalEvalProof when it is not-nil + return Proof[FR]{ RoundPolyEvaluations: rps, + FinalEvalProof: finaleval, } } diff --git a/std/recursion/sumcheck/scalarmul_gates_test.go b/std/recursion/sumcheck/scalarmul_gates_test.go index 3740537317..f15c9a8ec6 100644 --- a/std/recursion/sumcheck/scalarmul_gates_test.go +++ b/std/recursion/sumcheck/scalarmul_gates_test.go @@ -137,7 +137,7 @@ func testProjAddSumCheckInstance[FR emulated.FieldParams](t *testing.T, current } assignment := &ProjAddSumcheckCircuit[FR]{ Inputs: make([][]emulated.Element[FR], len(inputs)), - Proof: valueOfProof[FR](proof), + Proof: ValueOfProof[FR](proof), EvaluationPoints: evalPointsC, Claimed: []emulated.Element[FR]{emulated.ValueOf[FR](evals[0])}, } @@ -391,7 +391,7 @@ func testProjDblAddSelectSumCheckInstance[FR emulated.FieldParams](t *testing.T, } assignment := &ProjDblAddSelectSumcheckCircuit[FR]{ Inputs: make([][]emulated.Element[FR], len(inputs)), - Proof: valueOfProof[FR](proof), + Proof: ValueOfProof[FR](proof), EvaluationPoints: evalPointsC, Claimed: []emulated.Element[FR]{emulated.ValueOf[FR](evals[0])}, } diff --git a/std/recursion/sumcheck/sumcheck_test.go b/std/recursion/sumcheck/sumcheck_test.go index 4db5c8aa55..0a19dc8e21 100644 --- a/std/recursion/sumcheck/sumcheck_test.go +++ b/std/recursion/sumcheck/sumcheck_test.go @@ -56,7 +56,7 @@ func testMultilinearSumcheckInstance[FR emulated.FieldParams](t *testing.T, curr assignment := &MultilinearSumcheckCircuit[FR]{ Function: polynomial.ValueOfMultilinear[FR](mleB), Claim: emulated.ValueOf[FR](value), - Proof: valueOfProof[FR](proof), + Proof: ValueOfProof[FR](proof), } err = test.IsSolved(circuit, assignment, current) assert.NoError(err) @@ -168,7 +168,7 @@ func testMulGate1SumcheckInstance[FR emulated.FieldParams](t *testing.T, current } assignment := &MulGateSumcheck[FR]{ Inputs: make([][]emulated.Element[FR], len(inputs)), - Proof: valueOfProof[FR](proof), + Proof: ValueOfProof[FR](proof), EvaluationPoints: evalPointsC, Claimed: []emulated.Element[FR]{emulated.ValueOf[FR](evals[0])}, } From 043048b18a3c8ffba820a63d2fad2fad5f2fd05a Mon Sep 17 00:00:00 2001 From: ak36 Date: Fri, 21 Jun 2024 13:05:47 -0400 Subject: [PATCH 17/26] arya review test --- std/math/emulated/field.go | 5 ++++- std/recursion/gkr/gkr_nonnative_test.go | 2 +- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/std/math/emulated/field.go b/std/math/emulated/field.go index c478d567b8..0b7a277a24 100644 --- a/std/math/emulated/field.go +++ b/std/math/emulated/field.go @@ -261,19 +261,22 @@ func (f *Field[T]) enforceWidthConditional(a *Element[T]) (didConstrain bool) { func (f *Field[T]) constantValue(v *Element[T]) (*big.Int, bool) { if v == nil { + println("v is nil") f.log.Error().Msg("constantValue: input element is nil") return nil, false } if v.Limbs == nil { + println("v.Limbs is nil") f.log.Error().Msg("constantValue: input element limbs are nil") return nil, false } var ok bool - println("len(v.Limbs)", len(v.Limbs)) + constLimbs := make([]*big.Int, len(v.Limbs)) for i, l := range v.Limbs { if l == nil { + println("l is nil") f.log.Error().Msgf("constantValue: limb %d is nil", i) return nil, false } diff --git a/std/recursion/gkr/gkr_nonnative_test.go b/std/recursion/gkr/gkr_nonnative_test.go index 65deda3c41..081153ef3c 100644 --- a/std/recursion/gkr/gkr_nonnative_test.go +++ b/std/recursion/gkr/gkr_nonnative_test.go @@ -450,7 +450,7 @@ func testSingleAddGate[FR emulated.FieldParams](t *testing.T, current *big.Int, // slice[i].SetRandom() // } // } -func TestGkrVectorsFr(t *testing.T) { +func TestGkrVectorsEmulated(t *testing.T) { testDirPath := "./test_vectors" dirEntries, err := os.ReadDir(testDirPath) From 0da71f76e8b790409920154929af80c4e8f08e48 Mon Sep 17 00:00:00 2001 From: ak36 Date: Thu, 27 Jun 2024 22:10:13 -0400 Subject: [PATCH 18/26] fixed single_identity_gate_two_instances prove, renamed partialSumPolys to RoundPolyEvals --- go.mod | 1 + go.sum | 2 + std/gkr/gkr.go | 16 +- std/gkr/gkr_test.go | 8 +- .../single_identity_gate_two_instances.json | 4 +- ...nput_two_identity_gates_two_instances.json | 6 +- .../single_input_two_outs_two_instances.json | 6 +- .../single_mimc_gate_four_instances.json | 6 +- .../single_mimc_gate_two_instances.json | 6 +- .../single_mul_gate_two_instances.json | 6 +- ...s_composed_single_input_two_instances.json | 6 +- ...uts_select-input-3_gate_two_instances.json | 6 +- std/math/emulated/field.go | 39 +- std/math/emulated/field_assert.go | 9 +- std/math/polynomial/polynomial.go | 5 +- std/recursion/gkr/gkr_nonnative.go | 260 ++++++----- std/recursion/gkr/gkr_nonnative_test.go | 408 ++++++++++++------ .../mimc_five_levels_two_instances._json | 7 - ...nput_two_identity_gates_two_instances.json | 6 +- .../single_input_two_outs_two_instances.json | 6 +- .../single_mul_gate_two_instances.json | 6 +- ...s_composed_single_input_two_instances.json | 6 +- .../single_identity_gate_two_instances.json | 25 +- .../single_mimc_gate_four_instances.json | 67 --- .../single_mimc_gate_two_instances.json | 51 --- ...uts_select-input-3_gate_two_instances.json | 45 -- std/recursion/gkr/utils/util.go | 32 ++ std/recursion/sumcheck/claimable_gate.go | 2 +- std/recursion/sumcheck/polynomial.go | 2 +- std/recursion/sumcheck/proof.go | 5 +- std/sumcheck/sumcheck.go | 13 +- 31 files changed, 537 insertions(+), 530 deletions(-) delete mode 100644 std/recursion/gkr/test_vectors/mimc_five_levels_two_instances._json rename std/recursion/gkr/test_vectors/{ => resources}/single_input_two_identity_gates_two_instances.json (83%) rename std/recursion/gkr/test_vectors/{ => resources}/single_input_two_outs_two_instances.json (83%) rename std/recursion/gkr/test_vectors/{ => resources}/single_mul_gate_two_instances.json (80%) rename std/recursion/gkr/test_vectors/{ => resources}/two_identity_gates_composed_single_input_two_instances.json (81%) delete mode 100644 std/recursion/gkr/test_vectors/single_mimc_gate_four_instances.json delete mode 100644 std/recursion/gkr/test_vectors/single_mimc_gate_two_instances.json delete mode 100644 std/recursion/gkr/test_vectors/two_inputs_select-input-3_gate_two_instances.json diff --git a/go.mod b/go.mod index 4805c741f0..69aa38fd8d 100644 --- a/go.mod +++ b/go.mod @@ -33,6 +33,7 @@ require ( github.com/pmezard/go-difflib v1.0.0 // indirect github.com/rogpeppe/go-internal v1.11.0 // indirect github.com/x448/float16 v0.8.4 // indirect + golang.org/dl v0.0.0-20240621154342-20a4bcbb3ee2 // indirect golang.org/x/sys v0.15.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect rsc.io/tmplfunc v0.0.3 // indirect diff --git a/go.sum b/go.sum index 99806d860f..4b5b09748b 100644 --- a/go.sum +++ b/go.sum @@ -57,6 +57,8 @@ github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcU github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM= github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg= +golang.org/dl v0.0.0-20240621154342-20a4bcbb3ee2 h1:pV/1u+ib3c3Lhedg7EeTXMmyo7pKi7xHFH++3qlpxV8= +golang.org/dl v0.0.0-20240621154342-20a4bcbb3ee2/go.mod h1:fwQ+hlTD8I6TIzOGkQqxQNfE2xqR+y7SzGaDkksVFkw= golang.org/x/crypto v0.17.0 h1:r8bRNjWL3GshPW3gkd+RpvzWrZAwPS49OmTGZ/uhM4k= golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4= golang.org/x/exp v0.0.0-20230817173708-d852ddb80c63 h1:m64FZMko/V45gv0bNmrNYoDEq8U5YUhetc9cBWKS1TQ= diff --git a/std/gkr/gkr.go b/std/gkr/gkr.go index c33f3c4529..4da2629934 100644 --- a/std/gkr/gkr.go +++ b/std/gkr/gkr.go @@ -328,7 +328,7 @@ func Verify(api frontend.API, c Circuit, assignment WireAssignment, proof Proof, claim := claims.getLazyClaim(wire) if wire.noProof() { // input wires with one claim only // make sure the proof is empty - if len(finalEvalProof) != 0 || len(proofW.PartialSumPolys) != 0 { + if len(finalEvalProof) != 0 || len(proofW.RoundPolyEvaluations) != 0 { return fmt.Errorf("no proof allowed for input wire with a single claim") } @@ -471,16 +471,16 @@ func (a WireAssignment) NumVars() int { func (p Proof) Serialize() []frontend.Variable { size := 0 for i := range p { - for j := range p[i].PartialSumPolys { - size += len(p[i].PartialSumPolys[j]) + for j := range p[i].RoundPolyEvaluations { + size += len(p[i].RoundPolyEvaluations[j]) } size += len(p[i].FinalEvalProof.([]frontend.Variable)) } res := make([]frontend.Variable, 0, size) for i := range p { - for j := range p[i].PartialSumPolys { - res = append(res, p[i].PartialSumPolys[j]...) + for j := range p[i].RoundPolyEvaluations { + res = append(res, p[i].RoundPolyEvaluations[j]...) } res = append(res, p[i].FinalEvalProof.([]frontend.Variable)...) } @@ -520,9 +520,9 @@ func DeserializeProof(sorted []*Wire, serializedProof []frontend.Variable) (Proo reader := variablesReader(serializedProof) for i, wI := range sorted { if !wI.noProof() { - proof[i].PartialSumPolys = make([]polynomial.Polynomial, logNbInstances) - for j := range proof[i].PartialSumPolys { - proof[i].PartialSumPolys[j] = reader.nextN(wI.Gate.Degree() + 1) + proof[i].RoundPolyEvaluations = make([]polynomial.Polynomial, logNbInstances) + for j := range proof[i].RoundPolyEvaluations { + proof[i].RoundPolyEvaluations[j] = reader.nextN(wI.Gate.Degree() + 1) } } proof[i].FinalEvalProof = reader.nextN(wI.nbUniqueInputs()) diff --git a/std/gkr/gkr_test.go b/std/gkr/gkr_test.go index 8ec97a2954..a9206aeda8 100644 --- a/std/gkr/gkr_test.go +++ b/std/gkr/gkr_test.go @@ -276,7 +276,7 @@ type PrintableProof []PrintableSumcheckProof type PrintableSumcheckProof struct { FinalEvalProof interface{} `json:"finalEvalProof"` - PartialSumPolys [][]interface{} `json:"partialSumPolys"` + RoundPolyEvaluations [][]interface{} `json:"roundPolyEvaluations"` } func unmarshalProof(printable PrintableProof) (proof Proof) { @@ -294,9 +294,9 @@ func unmarshalProof(printable PrintableProof) (proof Proof) { proof[i].FinalEvalProof = nil } - proof[i].PartialSumPolys = make([]polynomial.Polynomial, len(printable[i].PartialSumPolys)) - for k := range printable[i].PartialSumPolys { - proof[i].PartialSumPolys[k] = ToVariableSlice(printable[i].PartialSumPolys[k]) + proof[i].RoundPolyEvaluations = make([]polynomial.Polynomial, len(printable[i].RoundPolyEvaluations)) + for k := range printable[i].RoundPolyEvaluations { + proof[i].RoundPolyEvaluations[k] = ToVariableSlice(printable[i].RoundPolyEvaluations[k]) } } return diff --git a/std/gkr/test_vectors/single_identity_gate_two_instances.json b/std/gkr/test_vectors/single_identity_gate_two_instances.json index ce326d0a63..fa38a03cb6 100644 --- a/std/gkr/test_vectors/single_identity_gate_two_instances.json +++ b/std/gkr/test_vectors/single_identity_gate_two_instances.json @@ -19,13 +19,13 @@ "proof": [ { "finalEvalProof": [], - "partialSumPolys": [] + "roundPolyEvaluations": [] }, { "finalEvalProof": [ 5 ], - "partialSumPolys": [ + "roundPolyEvaluations": [ [ -3, -8 diff --git a/std/gkr/test_vectors/single_input_two_identity_gates_two_instances.json b/std/gkr/test_vectors/single_input_two_identity_gates_two_instances.json index 2c95f044f2..a995f7197a 100644 --- a/std/gkr/test_vectors/single_input_two_identity_gates_two_instances.json +++ b/std/gkr/test_vectors/single_input_two_identity_gates_two_instances.json @@ -23,7 +23,7 @@ "proof": [ { "finalEvalProof": [], - "partialSumPolys": [ + "roundPolyEvaluations": [ [ 0, 0 @@ -34,7 +34,7 @@ "finalEvalProof": [ 1 ], - "partialSumPolys": [ + "roundPolyEvaluations": [ [ -3, -16 @@ -45,7 +45,7 @@ "finalEvalProof": [ 1 ], - "partialSumPolys": [ + "roundPolyEvaluations": [ [ -3, -16 diff --git a/std/gkr/test_vectors/single_input_two_outs_two_instances.json b/std/gkr/test_vectors/single_input_two_outs_two_instances.json index d348303d0e..6dace72193 100644 --- a/std/gkr/test_vectors/single_input_two_outs_two_instances.json +++ b/std/gkr/test_vectors/single_input_two_outs_two_instances.json @@ -23,7 +23,7 @@ "proof": [ { "finalEvalProof": [], - "partialSumPolys": [ + "roundPolyEvaluations": [ [ 0, 0 @@ -34,7 +34,7 @@ "finalEvalProof": [ 0 ], - "partialSumPolys": [ + "roundPolyEvaluations": [ [ -4, -36, @@ -46,7 +46,7 @@ "finalEvalProof": [ 0 ], - "partialSumPolys": [ + "roundPolyEvaluations": [ [ -2, -12 diff --git a/std/gkr/test_vectors/single_mimc_gate_four_instances.json b/std/gkr/test_vectors/single_mimc_gate_four_instances.json index 525459ecb1..1162e56f36 100644 --- a/std/gkr/test_vectors/single_mimc_gate_four_instances.json +++ b/std/gkr/test_vectors/single_mimc_gate_four_instances.json @@ -29,18 +29,18 @@ "proof": [ { "finalEvalProof": [], - "partialSumPolys": [] + "roundPolyEvaluations": [] }, { "finalEvalProof": [], - "partialSumPolys": [] + "roundPolyEvaluations": [] }, { "finalEvalProof": [ -1, -3 ], - "partialSumPolys": [ + "roundPolyEvaluations": [ [ -32640, -2239484, diff --git a/std/gkr/test_vectors/single_mimc_gate_two_instances.json b/std/gkr/test_vectors/single_mimc_gate_two_instances.json index 7fa23ce4b1..12d7755dd5 100644 --- a/std/gkr/test_vectors/single_mimc_gate_two_instances.json +++ b/std/gkr/test_vectors/single_mimc_gate_two_instances.json @@ -23,18 +23,18 @@ "proof": [ { "finalEvalProof": [], - "partialSumPolys": [] + "roundPolyEvaluations": [] }, { "finalEvalProof": [], - "partialSumPolys": [] + "roundPolyEvaluations": [] }, { "finalEvalProof": [ 1, 0 ], - "partialSumPolys": [ + "roundPolyEvaluations": [ [ -2187, -65536, diff --git a/std/gkr/test_vectors/single_mul_gate_two_instances.json b/std/gkr/test_vectors/single_mul_gate_two_instances.json index 75c1d59c3d..ba854e37f5 100644 --- a/std/gkr/test_vectors/single_mul_gate_two_instances.json +++ b/std/gkr/test_vectors/single_mul_gate_two_instances.json @@ -23,18 +23,18 @@ "proof": [ { "finalEvalProof": [], - "partialSumPolys": [] + "roundPolyEvaluations": [] }, { "finalEvalProof": [], - "partialSumPolys": [] + "roundPolyEvaluations": [] }, { "finalEvalProof": [ 5, 1 ], - "partialSumPolys": [ + "roundPolyEvaluations": [ [ -9, -32, diff --git a/std/gkr/test_vectors/two_identity_gates_composed_single_input_two_instances.json b/std/gkr/test_vectors/two_identity_gates_composed_single_input_two_instances.json index 10e5f1ff3c..e145c7d18d 100644 --- a/std/gkr/test_vectors/two_identity_gates_composed_single_input_two_instances.json +++ b/std/gkr/test_vectors/two_identity_gates_composed_single_input_two_instances.json @@ -19,13 +19,13 @@ "proof": [ { "finalEvalProof": [], - "partialSumPolys": [] + "roundPolyEvaluations": [] }, { "finalEvalProof": [ 3 ], - "partialSumPolys": [ + "roundPolyEvaluations": [ [ -1, 0 @@ -36,7 +36,7 @@ "finalEvalProof": [ 3 ], - "partialSumPolys": [ + "roundPolyEvaluations": [ [ -1, 0 diff --git a/std/gkr/test_vectors/two_inputs_select-input-3_gate_two_instances.json b/std/gkr/test_vectors/two_inputs_select-input-3_gate_two_instances.json index 19e127df71..e972222802 100644 --- a/std/gkr/test_vectors/two_inputs_select-input-3_gate_two_instances.json +++ b/std/gkr/test_vectors/two_inputs_select-input-3_gate_two_instances.json @@ -23,18 +23,18 @@ "proof": [ { "finalEvalProof": [], - "partialSumPolys": [] + "roundPolyEvaluations": [] }, { "finalEvalProof": [], - "partialSumPolys": [] + "roundPolyEvaluations": [] }, { "finalEvalProof": [ -1, 1 ], - "partialSumPolys": [ + "roundPolyEvaluations": [ [ -3, -16 diff --git a/std/math/emulated/field.go b/std/math/emulated/field.go index 0b7a277a24..9dbc471e25 100644 --- a/std/math/emulated/field.go +++ b/std/math/emulated/field.go @@ -239,50 +239,13 @@ func (f *Field[T]) enforceWidthConditional(a *Element[T]) (didConstrain bool) { return } -// func (f *Field[T]) constantValue(v *Element[T]) (*big.Int, bool) { -// var ok bool - -// constLimbs := make([]*big.Int, len(v.Limbs)) -// println("v.Limbs", v.Limbs) -// for i, l := range v.Limbs { -// // for each limb we get it's constant value if we can, or fail. -// if constLimbs[i], ok = f.api.Compiler().ConstantValue(l); !ok { -// return nil, false -// } -// } -// println("start_recompose") -// res := new(big.Int) -// if err := recompose(constLimbs, f.fParams.BitsPerLimb(), res); err != nil { -// f.log.Error().Err(err).Msg("recomposing constant") -// return nil, false -// } -// return res, true -// } - func (f *Field[T]) constantValue(v *Element[T]) (*big.Int, bool) { - if v == nil { - println("v is nil") - f.log.Error().Msg("constantValue: input element is nil") - return nil, false - } - if v.Limbs == nil { - println("v.Limbs is nil") - f.log.Error().Msg("constantValue: input element limbs are nil") - return nil, false - } - var ok bool constLimbs := make([]*big.Int, len(v.Limbs)) for i, l := range v.Limbs { - if l == nil { - println("l is nil") - f.log.Error().Msgf("constantValue: limb %d is nil", i) - return nil, false - } - // for each limb we get its constant value if we can, or fail. + // for each limb we get it's constant value if we can, or fail. if constLimbs[i], ok = f.api.Compiler().ConstantValue(l); !ok { - f.log.Error().Msgf("constantValue: failed to get constant value for limb %d", i) return nil, false } } diff --git a/std/math/emulated/field_assert.go b/std/math/emulated/field_assert.go index 0dc303d32f..ac20b22b0b 100644 --- a/std/math/emulated/field_assert.go +++ b/std/math/emulated/field_assert.go @@ -32,14 +32,11 @@ func (f *Field[T]) enforceWidth(a *Element[T], modWidth bool) { // AssertIsEqual ensures that a is equal to b modulo the modulus. func (f *Field[T]) AssertIsEqual(a, b *Element[T]) { - constrain_a := f.enforceWidthConditional(a) - constrain_b := f.enforceWidthConditional(b) - println("constrain_a", constrain_a) - println("constrain_b", constrain_b) + f.enforceWidthConditional(a) + f.enforceWidthConditional(b) + ba, aConst := f.constantValue(a) - println("aConst", aConst) bb, bConst := f.constantValue(b) - println("bConst", bConst) if aConst && bConst { ba.Mod(ba, f.fParams.Modulus()) bb.Mod(bb, f.fParams.Modulus()) diff --git a/std/math/polynomial/polynomial.go b/std/math/polynomial/polynomial.go index 2240930661..b2acb87c6f 100644 --- a/std/math/polynomial/polynomial.go +++ b/std/math/polynomial/polynomial.go @@ -65,6 +65,9 @@ type Polynomial[FR emulated.FieldParams] struct { // FromSlice maps slice of emulated element values to their references. func FromSlice[FR emulated.FieldParams](in []emulated.Element[FR]) []*emulated.Element[FR] { + if len(in) == 0 { + return []*emulated.Element[FR]{} + } r := make([]*emulated.Element[FR], len(in)) for i := range in { r[i] = &in[i] @@ -117,7 +120,7 @@ func (p *Polynomial[FR]) EvalMultilinear(at []*emulated.Element[FR], M Multiline // EvalMultilinearMany evaluates multilinear polynomials at variable values at. It // returns the evaluations. The method does not mutate the inputs. -// +// // The method allows to share computations of computing the coefficients of the // multilinear polynomials at the given evaluation points. func (p *Polynomial[FR]) EvalMultilinearMany(at []*emulated.Element[FR], M ...Multilinear[FR]) ([]*emulated.Element[FR], error) { diff --git a/std/recursion/gkr/gkr_nonnative.go b/std/recursion/gkr/gkr_nonnative.go index 07d5de24a1..f517d11054 100644 --- a/std/recursion/gkr/gkr_nonnative.go +++ b/std/recursion/gkr/gkr_nonnative.go @@ -5,18 +5,17 @@ import ( "math/big" "slices" "strconv" - "sync" + cryptofiatshamir "github.com/consensys/gnark-crypto/fiat-shamir" "github.com/consensys/gnark-crypto/utils" "github.com/consensys/gnark/frontend" + "github.com/consensys/gnark/internal/parallel" fiatshamir "github.com/consensys/gnark/std/fiat-shamir" - cryptofiatshamir "github.com/consensys/gnark-crypto/fiat-shamir" "github.com/consensys/gnark/std/math/bits" "github.com/consensys/gnark/std/math/emulated" "github.com/consensys/gnark/std/math/polynomial" "github.com/consensys/gnark/std/recursion" "github.com/consensys/gnark/std/recursion/sumcheck" - "github.com/consensys/gnark/internal/parallel" ) // @tabaie TODO: Contains many things copy-pasted from gnark-crypto. Generify somehow? @@ -139,7 +138,10 @@ type eqTimesGateEvalSumcheckLazyClaimsEmulated[FR emulated.FieldParams] struct { func (e *eqTimesGateEvalSumcheckLazyClaimsEmulated[FR]) VerifyFinalEval(r []emulated.Element[FR], combinationCoeff, purportedValue emulated.Element[FR], proof sumcheck.DeferredEvalProof[FR]) error { inputEvaluationsNoRedundancy := proof - field := emulated.Field[FR]{} + field, err := emulated.NewField[FR](e.verifier.api) + if err != nil { + return fmt.Errorf("failed to create field: %w", err) + } p, err := polynomial.New[FR](e.verifier.api) if err != nil { return err @@ -208,16 +210,18 @@ func (e *eqTimesGateEvalSumcheckLazyClaimsEmulated[FR]) Degree(int) int { } func (e *eqTimesGateEvalSumcheckLazyClaimsEmulated[FR]) AssertEvaluation(r []*emulated.Element[FR], combinationCoeff, expectedValue *emulated.Element[FR], proof sumcheck.EvaluationProof) error { - field := emulated.Field[FR]{} + field, err := emulated.NewField[FR](e.verifier.api) + if err != nil { + return fmt.Errorf("failed to create field: %w", err) + } val, err := e.verifier.p.EvalMultilinear(r, e.manager.assignment[e.wire]) if err != nil { return fmt.Errorf("evaluation error: %w", err) } - println("val", val) - println("expectedValue", expectedValue) + field.AssertIsEqual(val, expectedValue) return nil -} +} type claimsManagerEmulated[FR emulated.FieldParams] struct { claimsMap map[*WireEmulated[FR]]*eqTimesGateEvalSumcheckLazyClaimsEmulated[FR] @@ -280,10 +284,14 @@ func newClaimsManager(c Circuit, assignment WireAssignment) (claims claimsManage } func (m *claimsManager) add(wire *Wire, evaluationPoint []big.Int, evaluation big.Int) { + println("claim add") claim := m.claimsMap[wire] i := len(claim.evaluationPoints) + println("len claim.evaluationPoints before", i) + fmt.Printf("evaluation: %v\n", evaluation) claim.claimedEvaluations[i] = evaluation claim.evaluationPoints = append(claim.evaluationPoints, evaluationPoint) + println("len claim.evaluationPoints after", len(claim.evaluationPoints)) } func (m *claimsManager) getClaim(engine *sumcheck.BigIntEngine, wire *Wire) *eqTimesGateEvalSumcheckClaims { @@ -339,28 +347,28 @@ func (e *eqTimesGateEvalSumcheckClaims) NbVars() int { } func (c *eqTimesGateEvalSumcheckClaims) Combine(combinationCoeff *big.Int) sumcheck.NativePolynomial { - varsNum := c.VarsNum() + varsNum := c.NbVars() eqLength := 1 << varsNum - claimsNum := c.ClaimsNum() + claimsNum := c.NbClaims() + // initialize the eq tables c.eq = make(sumcheck.NativeMultilinear, eqLength) - - c.eq[0] = big.NewInt(1) + for i := 1; i < eqLength; i++ { + c.eq[i] = new(big.Int) + } + c.eq[0] = c.engine.One() sumcheck.Eq(c.engine, c.eq, sumcheck.ReferenceBigIntSlice(c.evaluationPoints[0])) newEq := make(sumcheck.NativeMultilinear, eqLength) - aI := combinationCoeff + for i := 1; i < eqLength; i++ { + newEq[i] = new(big.Int) + } + aI := new(big.Int).Set(combinationCoeff) for k := 1; k < claimsNum; k++ { // TODO: parallelizable? // define eq_k = aᵏ eq(x_k1, ..., x_kn, *, ..., *) where x_ki are the evaluation points - newEq[0].Set(aI) - - c.eqAcc(c.eq, newEq, c.evaluationPoints[k]) - - // newEq.Eq(c.evaluationPoints[k]) - // eqAsPoly := sumcheck.NativePolynomial(c.eq) //just semantics - // eqAsPoly.Add(eqAsPoly, sumcheck.NativePolynomial(newEq)) - + newEq[0].Set(aI) // check if this is one or ai + sumcheck.EqAcc(c.engine, c.eq, newEq, sumcheck.ReferenceBigIntSlice(c.evaluationPoints[k])) if k+1 < claimsNum { aI.Mul(aI, combinationCoeff) } @@ -370,30 +378,6 @@ func (c *eqTimesGateEvalSumcheckClaims) Combine(combinationCoeff *big.Int) sumch return c.computeGJ() } -// eqAcc sets m to an eq table at q and then adds it to e -func (c *eqTimesGateEvalSumcheckClaims) eqAcc(e, m sumcheck.NativeMultilinear, q []big.Int) { - n := len(q) - - //At the end of each iteration, m(h₁, ..., hₙ) = Eq(q₁, ..., qᵢ₊₁, h₁, ..., hᵢ₊₁) - for i := range q { // In the comments we use a 1-based index so q[i] = qᵢ₊₁ - // go through all assignments of (b₁, ..., bᵢ) ∈ {0,1}ⁱ - k := 1 << i - for j := 0; j < k; j++ { - j0 := j << (n - i) // bᵢ₊₁ = 0 - j1 := j0 + 1<<(n-1-i) // bᵢ₊₁ = 1 - - m[j1].Mul(&q[i], m[j0]) // Eq(q₁, ..., qᵢ₊₁, b₁, ..., bᵢ, 1) = Eq(q₁, ..., qᵢ, b₁, ..., bᵢ) Eq(qᵢ₊₁, 1) = Eq(q₁, ..., qᵢ, b₁, ..., bᵢ) qᵢ₊₁ - m[j0].Sub(m[j0], m[j1]) // Eq(q₁, ..., qᵢ₊₁, b₁, ..., bᵢ, 0) = Eq(q₁, ..., qᵢ, b₁, ..., bᵢ) Eq(qᵢ₊₁, 0) = Eq(q₁, ..., qᵢ, b₁, ..., bᵢ) (1-qᵢ₊₁) - } - - } - - for i := 0; i < len(e); i++ { - e[i].Add(e[i], m[i]) - } - // e.Add(e, sumcheck.NativePolynomial(m)) -} - // computeGJ: gⱼ = ∑_{0≤i<2ⁿ⁻ʲ} g(r₁, r₂, ..., rⱼ₋₁, Xⱼ, i...) = ∑_{0≤i<2ⁿ⁻ʲ} E(r₁, ..., X_j, i...) R_v( P_u0(r₁, ..., X_j, i...), ... ) where E = ∑ eq_k // the polynomial is represented by the evaluations g_j(1), g_j(2), ..., g_j(deg(g_j)). // The value g_j(0) is inferred from the equation g_j(0) + g_j(1) = gⱼ₋₁(rⱼ₋₁). By convention, g₀ is a constant polynomial equal to the claimed sum. @@ -411,76 +395,57 @@ func (c *eqTimesGateEvalSumcheckClaims) computeGJ() sumcheck.NativePolynomial { nbInner := len(s) // wrt output, which has high nbOuter and low nbInner nbOuter := len(s[0]) / 2 - gJ := make([]big.Int, degGJ) - var mu sync.Mutex - computeAll := func(start, end int) { - var step big.Int - - res := make([]big.Int, degGJ) - operands := make([]big.Int, degGJ*nbInner) + gJ := make(sumcheck.NativePolynomial, degGJ) + for i := range gJ { + gJ[i] = new(big.Int) + } - for i := start; i < end; i++ { - block := nbOuter + i - for j := 0; j < nbInner; j++ { - step.Set(s[j][i]) - operands[j].Set(s[j][block]) - step.Sub(&operands[j], &step) - for d := 1; d < degGJ; d++ { - operands[d*nbInner+j].Add(&operands[(d-1)*nbInner+j], &step) - } - } + step := new(big.Int) + res := make([]*big.Int, degGJ) + for i := range res { + res[i] = new(big.Int) + } + operands := make([]*big.Int, degGJ*nbInner) + for i := range operands { + operands[i] = new(big.Int) + } - _s := 0 - _e := nbInner - for d := 0; d < degGJ; d++ { - summand := c.wire.Gate.Evaluate(c.engine, sumcheck.ReferenceBigIntSlice(operands[_s+1 : _e])...) - summand.Mul(summand, &operands[_s]) - res[d].Add(&res[d], summand) - _s, _e = _e, _e+nbInner + for i := 0; i < nbOuter; i++ { + block := nbOuter + i + for j := 0; j < nbInner; j++ { + // TODO: instead of set can assign? + step.Set(s[j][i]) + operands[j].Set(s[j][block]) + step = c.engine.Sub(operands[j], step) + for d := 1; d < degGJ; d++ { + operands[d*nbInner+j] = c.engine.Add(operands[(d-1)*nbInner+j], step) } } - mu.Lock() - for i := 0; i < len(gJ); i++ { - gJ[i].Add(&gJ[i], &res[i]) + _s := 0 + _e := nbInner + for d := 0; d < degGJ; d++ { + summand := c.wire.Gate.Evaluate(c.engine, operands[_s+1:_e]...) + summand = c.engine.Mul(summand, operands[_s]) + res[d] = c.engine.Add(res[d], summand) + _s, _e = _e, _e+nbInner } - mu.Unlock() } - - const minBlockSize = 64 - - if nbOuter < minBlockSize { - // no parallelization - computeAll(0, nbOuter) - } - - // Perf-TODO: Separate functions Gate.TotalDegree and Gate.Degree(i) so that we get to use possibly smaller values for degGJ. Won't help with MiMC though - - return sumcheck.ReferenceBigIntSlice(gJ) + for i := 0; i < degGJ; i++ { + gJ[i] = c.engine.Add(gJ[i], res[i]) + } + return gJ } // Next first folds the "preprocessing" and "eq" polynomials then compute the new g_j func (c *eqTimesGateEvalSumcheckClaims) Next(element *big.Int) sumcheck.NativePolynomial { - const minBlockSize = 512 //asktodo whats the block size for our usecase/number of variable in multilinear poly? - n := len(c.eq) / 2 - if n < minBlockSize { - // no parallelization - for i := 0; i < len(c.inputPreprocessors); i++ { - sumcheck.Fold(c.engine, c.inputPreprocessors[i], element) - } - sumcheck.Fold(c.engine, c.eq, element) + for i := 0; i < len(c.inputPreprocessors); i++ { + sumcheck.Fold(c.engine, c.inputPreprocessors[i], element) } + sumcheck.Fold(c.engine, c.eq, element) return c.computeGJ() } -func (c *eqTimesGateEvalSumcheckClaims) VarsNum() int { - return len(c.evaluationPoints[0]) -} - -func (c *eqTimesGateEvalSumcheckClaims) ClaimsNum() int { - return len(c.claimedEvaluations) -} - func (c *eqTimesGateEvalSumcheckClaims) ProverFinalEval(r []*big.Int) sumcheck.NativeEvaluationProof { //defer the proof, return list of claims @@ -840,31 +805,48 @@ func Prove(current *big.Int, target *big.Int, c Circuit, assignment WireAssignme var baseChallenge []*big.Int for i := len(c) - 1; i >= 0; i-- { - + println("i", i) wire := o.sorted[i] if wire.IsOutput() { + println("wire is output prove i ", i) evaluation := sumcheck.Eval(be, assignment[wire], firstChallenge) claims.add(wire, sumcheck.DereferenceBigIntSlice(firstChallenge), *evaluation) } claim := claims.getClaim(be, wire) + var finalEvalProofLen int + finalEvalProof := proof[i].FinalEvalProof + if wire.noProof() { // input wires with one claim only + println("wire is input prove i ", i) proof[i] = sumcheck.NativeProof{ RoundPolyEvaluations: []sumcheck.NativePolynomial{}, - FinalEvalProof: []big.Int{}, + FinalEvalProof: finalEvalProof, } } else { - if proof[i], err = sumcheck.Prove( + proof[i], err = sumcheck.Prove( current, target, claim, - ); err != nil { + ) + if err != nil { return proof, err } - finalEvalProof := proof[i].FinalEvalProof.([]big.Int) - baseChallenge = make([]*big.Int, len(finalEvalProof)) - for i := range finalEvalProof { - baseChallenge[i] = &finalEvalProof[i] + finalEvalProof := proof[i].FinalEvalProof + switch finalEvalProof := finalEvalProof.(type) { + case nil: + finalEvalProof = sumcheck.NativeDeferredEvalProof([]big.Int{}) + case []big.Int: + finalEvalProofLen = len(finalEvalProof) + finalEvalProof = sumcheck.NativeDeferredEvalProof(finalEvalProof) + default: + return nil, fmt.Errorf("finalEvalProof is not of type DeferredEvalProof") + } + + proof[i].FinalEvalProof = finalEvalProof + baseChallenge = make([]*big.Int, finalEvalProofLen) + for i := 0; i < finalEvalProofLen; i++ { + baseChallenge[i] = &finalEvalProof.([]big.Int)[i] } } // the verifier checks a single claim about input wires itself @@ -897,8 +879,9 @@ func (v *GKRVerifier[FR]) Verify(api frontend.API, c CircuitEmulated[FR], assign var baseChallenge []emulated.Element[FR] for i := len(c) - 1; i >= 0; i-- { wire := o.sorted[i] - + println("i", i) if wire.IsOutput() { + println("wire is output verify i ", i) var evaluation emulated.Element[FR] evaluationPtr, err := v.p.EvalMultilinear(polynomial.FromSlice(firstChallenge), assignment[wire]) if err != nil { @@ -912,15 +895,33 @@ func (v *GKRVerifier[FR]) Verify(api frontend.API, c CircuitEmulated[FR], assign finalEvalProof := proofW.FinalEvalProof claim := claims.getLazyClaim(wire) + println("len(claim.evaluationPoints)", len(claim.evaluationPoints)) + if len(claim.evaluationPoints) > 0 { + println("len(claim.evaluationPoints[0])", len(claim.evaluationPoints[0])) + } else { + println("claim.evaluationPoints is empty") + } + if wire.noProof() { // input wires with one claim only // make sure the proof is empty // make sure finalevalproof is of type deferred for gkr - if (finalEvalProof != nil && len(finalEvalProof.(sumcheck.DeferredEvalProof[emulated.FieldParams])) != 0) || len(proofW.RoundPolyEvaluations) != 0 { + println("wire is input verify i ", i) + var proofLen int + switch proof := finalEvalProof.(type) { + case []emulated.Element[FR]: + proofLen = len(sumcheck.DeferredEvalProof[FR](proof)) + default: + return fmt.Errorf("finalEvalProof is not of type DeferredEvalProof") + } + + if (finalEvalProof != nil && proofLen != 0) || len(proofW.RoundPolyEvaluations) != 0 { return fmt.Errorf("no proof allowed for input wire with a single claim") } if wire.NbClaims() == 1 { // input wire // simply evaluate and see if it matches + println("wire is input verify i ", i) + //println("claim.claimedEvaluations[0]", claim.claimedEvaluations[0].Limbs) var evaluation emulated.Element[FR] evaluationPtr, err := v.p.EvalMultilinear(polynomial.FromSlice(claim.evaluationPoints[0]), assignment[wire]) if err != nil { @@ -932,7 +933,12 @@ func (v *GKRVerifier[FR]) Verify(api frontend.API, c CircuitEmulated[FR], assign } else if err = sumcheck_verifier.Verify( claim, proof[i], ); err == nil { - baseChallenge = finalEvalProof.(sumcheck.DeferredEvalProof[FR]) + switch proof := finalEvalProof.(type) { + case []emulated.Element[FR]: + baseChallenge = sumcheck.DeferredEvalProof[FR](proof) + default: + return fmt.Errorf("finalEvalProof is not of type DeferredEvalProof") + } _ = baseChallenge } else { return err @@ -1195,13 +1201,38 @@ func (a WireAssignmentEmulated[FR]) NumVars() int { panic("empty assignment") } +// func (p Proofs[FR]) Serialize() []emulated.Element[FR] { +// size := 0 +// for i := range p { +// for j := range p[i].RoundPolyEvaluations { +// size += len(p[i].RoundPolyEvaluations[j]) +// } +// size += len(p[i].FinalEvalProof.(sumcheck.DeferredEvalProof[FR])) +// } + +// res := make([]emulated.Element[FR], 0, size) +// for i := range p { +// for j := range p[i].RoundPolyEvaluations { +// res = append(res, p[i].RoundPolyEvaluations[j]...) +// } +// res = append(res, p[i].FinalEvalProof.(sumcheck.DeferredEvalProof[FR])...) +// } +// if len(res) != size { +// panic("bug") // TODO: Remove +// } +// return res +// } + func (p Proofs[FR]) Serialize() []emulated.Element[FR] { size := 0 for i := range p { for j := range p[i].RoundPolyEvaluations { size += len(p[i].RoundPolyEvaluations[j]) } - size += len(p[i].FinalEvalProof.(sumcheck.DeferredEvalProof[FR])) + switch v := p[i].FinalEvalProof.(type) { + case sumcheck.DeferredEvalProof[FR]: + size += len(v) + } } res := make([]emulated.Element[FR], 0, size) @@ -1209,7 +1240,10 @@ func (p Proofs[FR]) Serialize() []emulated.Element[FR] { for j := range p[i].RoundPolyEvaluations { res = append(res, p[i].RoundPolyEvaluations[j]...) } - res = append(res, p[i].FinalEvalProof.(sumcheck.DeferredEvalProof[FR])...) + switch v := p[i].FinalEvalProof.(type) { + case sumcheck.DeferredEvalProof[FR]: + res = append(res, v...) + } } if len(res) != size { panic("bug") // TODO: Remove diff --git a/std/recursion/gkr/gkr_nonnative_test.go b/std/recursion/gkr/gkr_nonnative_test.go index 081153ef3c..4712505531 100644 --- a/std/recursion/gkr/gkr_nonnative_test.go +++ b/std/recursion/gkr/gkr_nonnative_test.go @@ -1,24 +1,29 @@ package sumcheck import ( + "encoding/binary" "encoding/json" "fmt" + gohash "hash" + "math" "os" "path/filepath" "reflect" + //"strconv" - "testing" "math/big" + "testing" "github.com/consensys/gnark-crypto/ecc" "github.com/consensys/gnark/backend" "github.com/consensys/gnark/frontend" + "github.com/consensys/gnark/frontend/cs/scs" fiatshamir "github.com/consensys/gnark/std/fiat-shamir" - "github.com/consensys/gnark/std/recursion/gkr/utils" "github.com/consensys/gnark/std/math/emulated" - "github.com/consensys/gnark/std/math/polynomial" - "github.com/consensys/gnark/frontend/cs/scs" - //"github.com/consensys/gnark/std/hash" + "github.com/consensys/gnark/std/math/emulated/emparams" + "github.com/consensys/gnark/std/recursion/gkr/utils" + + // "github.com/consensys/gnark/std/hash" "github.com/consensys/gnark/std/recursion" "github.com/consensys/gnark/std/recursion/sumcheck" "github.com/consensys/gnark/test" @@ -231,7 +236,6 @@ func testSingleAddGate[FR emulated.FieldParams](t *testing.T, current *big.Int, Inputs: []*Wire{&c[0], &c[1]}, } - //assert := test.NewAssert(t) be := sumcheck.NewBigIntEngine(current) output := make([][]*big.Int, len(inputAssignments)) for i, in := range inputAssignments { @@ -265,12 +269,11 @@ func testSingleAddGate[FR emulated.FieldParams](t *testing.T, current *big.Int, ToFail: false, } - println("start_isSolved") err = test.IsSolved(validCircuit, assignmentGkr, current) - println("err", err) - //assert.NoError(t, err) + assert.NoError(t, err) + _, err = frontend.Compile(ecc.BN254.ScalarField(), scs.NewBuilder, validCircuit) - println("err", err) + assert.NoError(t, err) //t.Run("testSingleAddGate", generateVerifier(toEmulated(inputAssignments), toEmulated(output), proofEmulated)) @@ -451,7 +454,8 @@ func testSingleAddGate[FR emulated.FieldParams](t *testing.T, current *big.Int, // } // } func TestGkrVectorsEmulated(t *testing.T) { - + current := ecc.BN254.ScalarField() + var fr emparams.BN254Fp testDirPath := "./test_vectors" dirEntries, err := os.ReadDir(testDirPath) if err != nil { @@ -462,7 +466,8 @@ func TestGkrVectorsEmulated(t *testing.T) { path := filepath.Join(testDirPath, dirEntry.Name()) noExt := dirEntry.Name()[:len(dirEntry.Name())-len(".json")] - t.Run(noExt, generateTestVerifier[emulated.BN254Fr](path)) + t.Run(noExt, generateTestProver(path, *current, *fr.Modulus())) + //t.Run(noExt, generateTestVerifier[emparams.BN254Fp](path)) } } } @@ -511,10 +516,62 @@ func generateVerifier[FR emulated.FieldParams](Input [][]emulated.Element[FR], O fillWithBlanks(invalidCircuit.Output, len(Input[0])) assert.CheckCircuit(validCircuit, test.WithCurves(ecc.BN254), test.WithBackends(backend.GROTH16), test.WithValidAssignment(assignment)) - //assert.CheckCircuit(invalidCircuit, test.WithCurves(ecc.BN254), test.WithBackends(backend.GROTH16), test.WithInvalidAssignment(assignment)) + // assert.CheckCircuit(invalidCircuit, test.WithCurves(ecc.BN254), test.WithBackends(backend.GROTH16), test.WithInvalidAssignment(assignment)) } } +func proofEquals(expected NativeProofs, seen NativeProofs) error { + if len(expected) != len(seen) { + return fmt.Errorf("length mismatch %d ≠ %d", len(expected), len(seen)) + } + for i, x := range expected { + xSeen := seen[i] + + xfinalEvalProofSeen := xSeen.FinalEvalProof + switch finalEvalProof := xfinalEvalProofSeen.(type) { + case nil: + xfinalEvalProofSeen = sumcheck.NativeDeferredEvalProof([]big.Int{}) + case []big.Int: + xfinalEvalProofSeen = sumcheck.NativeDeferredEvalProof(finalEvalProof) + default: + return fmt.Errorf("finalEvalProof is not of type DeferredEvalProof") + } + + if xSeen.FinalEvalProof == nil { + if seenFinalEval := x.FinalEvalProof.(sumcheck.NativeDeferredEvalProof); len(seenFinalEval) != 0 { + return fmt.Errorf("length mismatch %d ≠ %d", 0, len(seenFinalEval)) + } + } else { + if err := utils.SliceEqualsBigInt(x.FinalEvalProof.(sumcheck.NativeDeferredEvalProof), + xfinalEvalProofSeen.(sumcheck.NativeDeferredEvalProof)); err != nil { + return fmt.Errorf("final evaluation proof mismatch") + } + } + + roundPolyEvals := make([]sumcheck.NativePolynomial, len(x.RoundPolyEvaluations)) + copy(roundPolyEvals, x.RoundPolyEvaluations) + + roundPolyEvalsSeen := make([]sumcheck.NativePolynomial, len(xSeen.RoundPolyEvaluations)) + copy(roundPolyEvalsSeen, xSeen.RoundPolyEvaluations) + + for i, poly := range roundPolyEvals { + if err := utils.SliceEqualsBigInt(sumcheck.DereferenceBigIntSlice(poly), sumcheck.DereferenceBigIntSlice(roundPolyEvalsSeen[i])); err != nil { + return err + } + } + } + return nil +} + +func generateTestProver(path string, current big.Int, target big.Int) func(t *testing.T) { + return func(t *testing.T) { + testCase, err := newTestCase(path, target) + assert.NoError(t, err) + proof, err := Prove(¤t, &target, testCase.Circuit, testCase.FullAssignment, fiatshamir.WithHashBigInt(testCase.Hash)) + assert.NoError(t, err) + assert.NoError(t, proofEquals(testCase.Proof, proof)) + } +} func generateTestVerifier[FR emulated.FieldParams](path string, options ...option) func(t *testing.T) { var opts _options @@ -561,9 +618,9 @@ func generateTestVerifier[FR emulated.FieldParams](path string, options ...optio assert.CheckCircuit(validCircuit, test.WithCurves(ecc.BN254), test.WithBackends(backend.GROTH16), test.WithValidAssignment(assignment)) } - if !opts.noFail { - assert.CheckCircuit(invalidCircuit, test.WithCurves(ecc.BN254), test.WithBackends(backend.GROTH16), test.WithInvalidAssignment(assignment)) - } + // if !opts.noFail { + // assert.CheckCircuit(invalidCircuit, test.WithCurves(ecc.BN254), test.WithBackends(backend.GROTH16), test.WithInvalidAssignment(assignment)) + // } } } @@ -577,7 +634,7 @@ type GkrVerifierCircuitEmulated[FR emulated.FieldParams] struct { func (c *GkrVerifierCircuitEmulated[FR]) Define(api frontend.API) error { var fr FR - var testCase *TestCase[FR] + var testCase *TestCaseVerifier[FR] var proof Proofs[FR] var err error @@ -586,6 +643,7 @@ func (c *GkrVerifierCircuitEmulated[FR]) Define(api frontend.API) error { return fmt.Errorf("new verifier: %w", err) } + println("c.TestCaseName", c.TestCaseName) // var proofRef Proof if testCase, err = getTestCase[FR](c.TestCaseName); err != nil { return err @@ -636,7 +694,7 @@ func fillWithBlanks[FR emulated.FieldParams](slice [][]emulated.Element[FR], siz } } -type TestCase[FR emulated.FieldParams] struct { +type TestCaseVerifier[FR emulated.FieldParams] struct { Circuit CircuitEmulated[FR] Hash utils.HashDescription Proof Proofs[FR] @@ -655,17 +713,17 @@ type TestCaseInfo struct { // var testCases = make(map[string]*TestCase[emulated.FieldParams]) var testCases = make(map[string]interface{}) -func getTestCase[FR emulated.FieldParams](path string) (*TestCase[FR], error) { +func getTestCase[FR emulated.FieldParams](path string) (*TestCaseVerifier[FR], error) { path, err := filepath.Abs(path) if err != nil { return nil, err } dir := filepath.Dir(path) - cse, ok := testCases[path].(*TestCase[FR]) + cse, ok := testCases[path].(*TestCaseVerifier[FR]) if !ok { var bytes []byte - cse = &TestCase[FR]{} + cse = &TestCaseVerifier[FR]{} if bytes, err = os.ReadFile(path); err == nil { var info TestCaseInfo err = json.Unmarshal(bytes, &info) @@ -673,11 +731,17 @@ func getTestCase[FR emulated.FieldParams](path string) (*TestCase[FR], error) { return nil, err } - if cse.Circuit, err = getCircuit[FR](filepath.Join(dir, info.Circuit)); err != nil { + if cse.Circuit, err = getCircuitEmulated[FR](filepath.Join(dir, info.Circuit)); err != nil { return nil, err } - cse.Proof = unmarshalProof[FR](info.Proof) + + nativeProofs := unmarshalProof(info.Proof) + proofs := make(Proofs[FR], len(nativeProofs)) + for i, proof := range nativeProofs { + proofs[i] = sumcheck.ValueOfProof[FR](proof) + } + cse.Proof = proofs cse.Input = utils.ToVariableSliceSliceFr[FR](info.Input) cse.Output = utils.ToVariableSliceSliceFr[FR](info.Output) @@ -699,10 +763,31 @@ type WireInfo struct { type CircuitInfo []WireInfo -// var circuitCache = make(map[string]CircuitFr[emulated.FieldParams]) var circuitCache = make(map[string]interface{}) -func getCircuit[FR emulated.FieldParams](path string) (circuit CircuitEmulated[FR], err error) { +func getCircuit(path string) (circuit Circuit, err error) { + path, err = filepath.Abs(path) + if err != nil { + return + } + var ok bool + if circuit, ok = circuitCache[path].(Circuit); ok { + return + } + var bytes []byte + if bytes, err = os.ReadFile(path); err == nil { + var circuitInfo CircuitInfo + if err = json.Unmarshal(bytes, &circuitInfo); err == nil { + circuit, err = toCircuit(circuitInfo) + if err == nil { + circuitCache[path] = circuit + } + } + } + return +} + +func getCircuitEmulated[FR emulated.FieldParams](path string) (circuit CircuitEmulated[FR], err error) { path, err = filepath.Abs(path) if err != nil { return @@ -748,6 +833,25 @@ func toCircuitEmulated[FR emulated.FieldParams](c CircuitInfo) (circuit CircuitE return } +func toCircuit(c CircuitInfo) (circuit Circuit, err error) { + + circuit = make(Circuit, len(c)) + for i, wireInfo := range c { + circuit[i].Inputs = make([]*Wire, len(wireInfo.Inputs)) + for iAsInput, iAsWire := range wireInfo.Inputs { + input := &circuit[iAsWire] + circuit[i].Inputs[iAsInput] = input + } + + var found bool + if circuit[i].Gate, found = Gates[wireInfo.Gate]; !found && wireInfo.Gate != "" { + err = fmt.Errorf("undefined gate \"%s\"", wireInfo.Gate) + } + } + + return +} + type _select[FR emulated.FieldParams] int // func init() { @@ -772,33 +876,78 @@ type PrintableProof []PrintableSumcheckProof type PrintableSumcheckProof struct { FinalEvalProof interface{} `json:"finalEvalProof"` - RoundPolyEvaluations [][]interface{} `json:"partialSumPolys"` + RoundPolyEvaluations [][]interface{} `json:"roundPolyEvaluations"` } -func unmarshalProof[FR emulated.FieldParams](printable PrintableProof) (proof Proofs[FR]) { - - proof = make(Proofs[FR], len(printable)) +func unmarshalProof(printable PrintableProof) (proof NativeProofs) { + proof = make(NativeProofs, len(printable)) for i := range printable { if printable[i].FinalEvalProof != nil { finalEvalSlice := reflect.ValueOf(printable[i].FinalEvalProof) - finalEvalProof := make(sumcheck.DeferredEvalProof[FR], finalEvalSlice.Len()) + finalEvalProof := make(sumcheck.NativeDeferredEvalProof, finalEvalSlice.Len()) for k := range finalEvalProof { - finalEvalProof[k] = utils.ToVariableFr[FR](finalEvalSlice.Index(k).Interface()) + finalEvalSlice := finalEvalSlice.Index(k).Interface().([]interface{}) + var byteArray []byte + for _, val := range finalEvalSlice { + floatVal := val.(float64) + bits := math.Float64bits(floatVal) + bytes := make([]byte, 8) + binary.BigEndian.PutUint64(bytes, bits) + byteArray = append(byteArray, bytes...) + } + finalEvalProof[k] = *big.NewInt(0).SetBytes(byteArray) } proof[i].FinalEvalProof = finalEvalProof } else { proof[i].FinalEvalProof = nil } - proof[i].RoundPolyEvaluations = make([]polynomial.Univariate[FR], len(printable[i].RoundPolyEvaluations)) + proof[i].RoundPolyEvaluations = make([]sumcheck.NativePolynomial, len(printable[i].RoundPolyEvaluations)) for k := range printable[i].RoundPolyEvaluations { - proof[i].RoundPolyEvaluations[k] = utils.ToVariableSliceFr[FR](printable[i].RoundPolyEvaluations[k]) + evals := printable[i].RoundPolyEvaluations[k] + proof[i].RoundPolyEvaluations[k] = make(sumcheck.NativePolynomial, len(evals)) + for j, eval := range evals { + evalSlice := reflect.ValueOf(eval).Interface().([]interface{}) + var byteArray []byte + for _, val := range evalSlice { + floatVal := val.(float64) + bits := math.Float64bits(floatVal) + bytes := make([]byte, 8) + binary.BigEndian.PutUint64(bytes, bits) + byteArray = append(byteArray, bytes...) + } + proof[i].RoundPolyEvaluations[k][j] = big.NewInt(0).SetBytes(byteArray) + } } + } return } +// func unmarshalProofEmulated[FR emulated.FieldParams](printable PrintableProof) (proof Proofs[FR]) { +// proof = make(Proofs[FR], len(printable)) +// for i := range printable { + +// if printable[i].FinalEvalProof != nil { +// finalEvalSlice := reflect.ValueOf(printable[i].FinalEvalProof) +// finalEvalProof := make(sumcheck.DeferredEvalProof[FR], finalEvalSlice.Len()) +// for k := range finalEvalProof { +// finalEvalProof[k] = utils.ToVariableFr[FR](finalEvalSlice.Index(k).Interface()) +// } +// proof[i].FinalEvalProof = finalEvalProof +// } else { +// proof[i].FinalEvalProof = nil +// } + +// proof[i].RoundPolyEvaluations = make([]polynomial.Univariate[FR], len(printable[i].RoundPolyEvaluations)) +// for k := range printable[i].RoundPolyEvaluations { +// proof[i].RoundPolyEvaluations[k] = utils.ToVariableSliceFr[FR](printable[i].RoundPolyEvaluations[k]) +// } +// } +// return +// } + func TestLogNbInstances(t *testing.T) { type FR = emulated.BN254Fp testLogNbInstances := func(path string) func(t *testing.T) { @@ -821,7 +970,7 @@ func TestLogNbInstances(t *testing.T) { func TestLoadCircuit(t *testing.T) { type FR = emulated.BN254Fp - c, err := getCircuit[FR]("test_vectors/resources/two_identity_gates_composed_single_input.json") + c, err := getCircuitEmulated[FR]("test_vectors/resources/two_identity_gates_composed_single_input.json") assert.NoError(t, err) assert.Equal(t, []*WireEmulated[FR]{}, c[0].Inputs) assert.Equal(t, []*WireEmulated[FR]{&c[0]}, c[1].Inputs) @@ -960,121 +1109,102 @@ func TestTopSortWide(t *testing.T) { // return proof, nil // } -// type TestCase struct { -// Circuit Circuit -// Hash hash.Hash -// Proof Proof -// FullAssignment WireAssignment -// InOutAssignment WireAssignment -// } - -// type TestCaseInfo struct { -// Hash utils.HashDescription `json:"hash"` -// Circuit string `json:"circuit"` -// Input [][]interface{} `json:"input"` -// Output [][]interface{} `json:"output"` -// Proof PrintableProof `json:"proof"` -// } +type TestCase struct { + Current big.Int + Target big.Int + Circuit Circuit + Hash gohash.Hash //utils.HashDescription + Proof NativeProofs + FullAssignment WireAssignment + InOutAssignment WireAssignment +} // var testCases = make(map[string]*TestCase) -// func newTestCase(path string) (*TestCase, error) { -// path, err := filepath.Abs(path) -// if err != nil { -// return nil, err -// } -// dir := filepath.Dir(path) - -// tCase, ok := testCases[path] -// if !ok { -// var bytes []byte -// if bytes, err = os.ReadFile(path); err == nil { -// var info TestCaseInfo -// err = json.Unmarshal(bytes, &info) -// if err != nil { -// return nil, err -// } - -// var circuit Circuit -// if circuit, err = getCircuit(filepath.Join(dir, info.Circuit)); err != nil { -// return nil, err -// } -// var _hash hash.Hash -// if _hash, err = utils.HashFromDescription(info.Hash); err != nil { -// return nil, err -// } -// var proof Proof -// if proof, err = unmarshalProof(info.Proof); err != nil { -// return nil, err -// } - -// fullAssignment := make(WireAssignment) -// inOutAssignment := make(WireAssignment) - -// sorted := topologicalSort(circuit) - -// inI, outI := 0, 0 -// for _, w := range sorted { -// var assignmentRaw []interface{} -// if w.IsInput() { -// if inI == len(info.Input) { -// return nil, fmt.Errorf("fewer input in vector than in circuit") -// } -// assignmentRaw = info.Input[inI] -// inI++ -// } else if w.IsOutput() { -// if outI == len(info.Output) { -// return nil, fmt.Errorf("fewer output in vector than in circuit") -// } -// assignmentRaw = info.Output[outI] -// outI++ -// } -// if assignmentRaw != nil { -// var wireAssignment []fr.Element -// if wireAssignment, err = utils.SliceToElementSlice(assignmentRaw); err != nil { -// return nil, err -// } - -// fullAssignment[w] = wireAssignment -// inOutAssignment[w] = wireAssignment -// } -// } +func newTestCase(path string, target big.Int) (*TestCase, error) { + path, err := filepath.Abs(path) + if err != nil { + return nil, err + } + dir := filepath.Dir(path) -// fullAssignment.Complete(circuit) + tCase, ok := testCases[path] + if !ok { + var bytes []byte + if bytes, err = os.ReadFile(path); err == nil { + var info TestCaseInfo + err = json.Unmarshal(bytes, &info) + if err != nil { + return nil, err + } -// for _, w := range sorted { -// if w.IsOutput() { + var circuit Circuit + if circuit, err = getCircuit(filepath.Join(dir, info.Circuit)); err != nil { + return nil, err + } + var _hash gohash.Hash + if _hash, err = utils.HashFromDescription(info.Hash); err != nil { + return nil, err + } -// if err = utils.SliceEquals(inOutAssignment[w], fullAssignment[w]); err != nil { -// return nil, fmt.Errorf("assignment mismatch: %v", err) -// } + proof := unmarshalProof(info.Proof) + + fullAssignment := make(WireAssignment) + inOutAssignment := make(WireAssignment) + + sorted := topologicalSort(circuit) + + inI, outI := 0, 0 + for _, w := range sorted { + var assignmentRaw []interface{} + if w.IsInput() { + if inI == len(info.Input) { + return nil, fmt.Errorf("fewer input in vector than in circuit") + } + assignmentRaw = info.Input[inI] + inI++ + } else if w.IsOutput() { + if outI == len(info.Output) { + return nil, fmt.Errorf("fewer output in vector than in circuit") + } + assignmentRaw = info.Output[outI] + outI++ + } + if assignmentRaw != nil { + var wireAssignment []big.Int + if wireAssignment, err = utils.SliceToBigIntSlice(assignmentRaw); err != nil { + return nil, err + } + fullAssignment[w] = sumcheck.NativeMultilinear(utils.ConvertToBigIntSlice(wireAssignment)) + inOutAssignment[w] = sumcheck.NativeMultilinear(utils.ConvertToBigIntSlice(wireAssignment)) + } + } -// } -// } + fullAssignment.Complete(circuit, &target) -// tCase = &TestCase{ -// FullAssignment: fullAssignment, -// InOutAssignment: inOutAssignment, -// Proof: proof, -// Hash: _hash, -// Circuit: circuit, -// } + for _, w := range sorted { + if w.IsOutput() { -// testCases[path] = tCase -// } else { -// return nil, err -// } -// } + if err = utils.SliceEqualsBigInt(sumcheck.DereferenceBigIntSlice(inOutAssignment[w]), sumcheck.DereferenceBigIntSlice(fullAssignment[w])); err != nil { + return nil, fmt.Errorf("assignment mismatch: %v", err) + } -// return tCase, nil -// } + } + } -// type _select int + tCase = &TestCase{ + FullAssignment: fullAssignment, + InOutAssignment: inOutAssignment, + Proof: proof, + Hash: _hash, + Circuit: circuit, + } -// func (g _select) Evaluate(in ...fr.Element) fr.Element { -// return in[g] -// } + testCases[path] = tCase + } else { + return nil, err + } + } -// func (g _select) Degree() int { -// return 1 -// } + return tCase.(*TestCase), nil +} diff --git a/std/recursion/gkr/test_vectors/mimc_five_levels_two_instances._json b/std/recursion/gkr/test_vectors/mimc_five_levels_two_instances._json deleted file mode 100644 index 446d23fdb2..0000000000 --- a/std/recursion/gkr/test_vectors/mimc_five_levels_two_instances._json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "hash": {"type": "const", "val": -1}, - "circuit": "resources/mimc_five_levels.json", - "input": [[1, 3], [1, 3], [1, 3], [1, 3], [1, 3], [1, 3]], - "output": [[4, 3]], - "proof": [[{"partialSumPolys":[[3,4]],"finalEvalProof":[3]}],[{"partialSumPolys":null,"finalEvalProof":null}]] -} \ No newline at end of file diff --git a/std/recursion/gkr/test_vectors/single_input_two_identity_gates_two_instances.json b/std/recursion/gkr/test_vectors/resources/single_input_two_identity_gates_two_instances.json similarity index 83% rename from std/recursion/gkr/test_vectors/single_input_two_identity_gates_two_instances.json rename to std/recursion/gkr/test_vectors/resources/single_input_two_identity_gates_two_instances.json index 2c95f044f2..a995f7197a 100644 --- a/std/recursion/gkr/test_vectors/single_input_two_identity_gates_two_instances.json +++ b/std/recursion/gkr/test_vectors/resources/single_input_two_identity_gates_two_instances.json @@ -23,7 +23,7 @@ "proof": [ { "finalEvalProof": [], - "partialSumPolys": [ + "roundPolyEvaluations": [ [ 0, 0 @@ -34,7 +34,7 @@ "finalEvalProof": [ 1 ], - "partialSumPolys": [ + "roundPolyEvaluations": [ [ -3, -16 @@ -45,7 +45,7 @@ "finalEvalProof": [ 1 ], - "partialSumPolys": [ + "roundPolyEvaluations": [ [ -3, -16 diff --git a/std/recursion/gkr/test_vectors/single_input_two_outs_two_instances.json b/std/recursion/gkr/test_vectors/resources/single_input_two_outs_two_instances.json similarity index 83% rename from std/recursion/gkr/test_vectors/single_input_two_outs_two_instances.json rename to std/recursion/gkr/test_vectors/resources/single_input_two_outs_two_instances.json index d348303d0e..6dace72193 100644 --- a/std/recursion/gkr/test_vectors/single_input_two_outs_two_instances.json +++ b/std/recursion/gkr/test_vectors/resources/single_input_two_outs_two_instances.json @@ -23,7 +23,7 @@ "proof": [ { "finalEvalProof": [], - "partialSumPolys": [ + "roundPolyEvaluations": [ [ 0, 0 @@ -34,7 +34,7 @@ "finalEvalProof": [ 0 ], - "partialSumPolys": [ + "roundPolyEvaluations": [ [ -4, -36, @@ -46,7 +46,7 @@ "finalEvalProof": [ 0 ], - "partialSumPolys": [ + "roundPolyEvaluations": [ [ -2, -12 diff --git a/std/recursion/gkr/test_vectors/single_mul_gate_two_instances.json b/std/recursion/gkr/test_vectors/resources/single_mul_gate_two_instances.json similarity index 80% rename from std/recursion/gkr/test_vectors/single_mul_gate_two_instances.json rename to std/recursion/gkr/test_vectors/resources/single_mul_gate_two_instances.json index 75c1d59c3d..ba854e37f5 100644 --- a/std/recursion/gkr/test_vectors/single_mul_gate_two_instances.json +++ b/std/recursion/gkr/test_vectors/resources/single_mul_gate_two_instances.json @@ -23,18 +23,18 @@ "proof": [ { "finalEvalProof": [], - "partialSumPolys": [] + "roundPolyEvaluations": [] }, { "finalEvalProof": [], - "partialSumPolys": [] + "roundPolyEvaluations": [] }, { "finalEvalProof": [ 5, 1 ], - "partialSumPolys": [ + "roundPolyEvaluations": [ [ -9, -32, diff --git a/std/recursion/gkr/test_vectors/two_identity_gates_composed_single_input_two_instances.json b/std/recursion/gkr/test_vectors/resources/two_identity_gates_composed_single_input_two_instances.json similarity index 81% rename from std/recursion/gkr/test_vectors/two_identity_gates_composed_single_input_two_instances.json rename to std/recursion/gkr/test_vectors/resources/two_identity_gates_composed_single_input_two_instances.json index 10e5f1ff3c..e145c7d18d 100644 --- a/std/recursion/gkr/test_vectors/two_identity_gates_composed_single_input_two_instances.json +++ b/std/recursion/gkr/test_vectors/resources/two_identity_gates_composed_single_input_two_instances.json @@ -19,13 +19,13 @@ "proof": [ { "finalEvalProof": [], - "partialSumPolys": [] + "roundPolyEvaluations": [] }, { "finalEvalProof": [ 3 ], - "partialSumPolys": [ + "roundPolyEvaluations": [ [ -1, 0 @@ -36,7 +36,7 @@ "finalEvalProof": [ 3 ], - "partialSumPolys": [ + "roundPolyEvaluations": [ [ -1, 0 diff --git a/std/recursion/gkr/test_vectors/single_identity_gate_two_instances.json b/std/recursion/gkr/test_vectors/single_identity_gate_two_instances.json index ce326d0a63..18d1f44c39 100644 --- a/std/recursion/gkr/test_vectors/single_identity_gate_two_instances.json +++ b/std/recursion/gkr/test_vectors/single_identity_gate_two_instances.json @@ -19,16 +19,31 @@ "proof": [ { "finalEvalProof": [], - "partialSumPolys": [] + "roundPolyEvaluations": [] }, { "finalEvalProof": [ - 5 + [ + 2.1129583785431688e-78, + 7.380245878097748e-203, + -9.448716071046593e+106, + -1.7059667400226023e-211 + ] ], - "partialSumPolys": [ + "roundPolyEvaluations": [ [ - -3, - -8 + [ + 4.107435820551428e-295, + -8.39085766387766e-250, + -3.0805133636173705e+302, + 3.9607963698746494e-92 + ], + [ + 1.51309699491893e-281, + 5.632421638135887e-191, + -2.6056281893145424e+296, + 1.338485906067006e+125 + ] ] ] } diff --git a/std/recursion/gkr/test_vectors/single_mimc_gate_four_instances.json b/std/recursion/gkr/test_vectors/single_mimc_gate_four_instances.json deleted file mode 100644 index 525459ecb1..0000000000 --- a/std/recursion/gkr/test_vectors/single_mimc_gate_four_instances.json +++ /dev/null @@ -1,67 +0,0 @@ -{ - "hash": { - "type": "const", - "val": -1 - }, - "circuit": "resources/single_mimc_gate.json", - "input": [ - [ - 1, - 1, - 2, - 1 - ], - [ - 1, - 2, - 2, - 1 - ] - ], - "output": [ - [ - 128, - 2187, - 16384, - 128 - ] - ], - "proof": [ - { - "finalEvalProof": [], - "partialSumPolys": [] - }, - { - "finalEvalProof": [], - "partialSumPolys": [] - }, - { - "finalEvalProof": [ - -1, - -3 - ], - "partialSumPolys": [ - [ - -32640, - -2239484, - -29360128, - "-200000010", - "-931628672", - "-3373267120", - "-10200858624", - "-26939400158" - ], - [ - -81920, - -41943040, - "-1254113280", - "-13421772800", - "-83200000000", - "-366917713920", - "-1281828208640", - "-3779571220480" - ] - ] - } - ] -} \ No newline at end of file diff --git a/std/recursion/gkr/test_vectors/single_mimc_gate_two_instances.json b/std/recursion/gkr/test_vectors/single_mimc_gate_two_instances.json deleted file mode 100644 index 7fa23ce4b1..0000000000 --- a/std/recursion/gkr/test_vectors/single_mimc_gate_two_instances.json +++ /dev/null @@ -1,51 +0,0 @@ -{ - "hash": { - "type": "const", - "val": -1 - }, - "circuit": "resources/single_mimc_gate.json", - "input": [ - [ - 1, - 1 - ], - [ - 1, - 2 - ] - ], - "output": [ - [ - 128, - 2187 - ] - ], - "proof": [ - { - "finalEvalProof": [], - "partialSumPolys": [] - }, - { - "finalEvalProof": [], - "partialSumPolys": [] - }, - { - "finalEvalProof": [ - 1, - 0 - ], - "partialSumPolys": [ - [ - -2187, - -65536, - -546875, - -2799360, - -10706059, - -33554432, - -90876411, - "-220000000" - ] - ] - } - ] -} \ No newline at end of file diff --git a/std/recursion/gkr/test_vectors/two_inputs_select-input-3_gate_two_instances.json b/std/recursion/gkr/test_vectors/two_inputs_select-input-3_gate_two_instances.json deleted file mode 100644 index 19e127df71..0000000000 --- a/std/recursion/gkr/test_vectors/two_inputs_select-input-3_gate_two_instances.json +++ /dev/null @@ -1,45 +0,0 @@ -{ - "hash": { - "type": "const", - "val": -1 - }, - "circuit": "resources/two_inputs_select-input-3_gate.json", - "input": [ - [ - 0, - 1 - ], - [ - 2, - 3 - ] - ], - "output": [ - [ - 2, - 3 - ] - ], - "proof": [ - { - "finalEvalProof": [], - "partialSumPolys": [] - }, - { - "finalEvalProof": [], - "partialSumPolys": [] - }, - { - "finalEvalProof": [ - -1, - 1 - ], - "partialSumPolys": [ - [ - -3, - -16 - ] - ] - } - ] -} \ No newline at end of file diff --git a/std/recursion/gkr/utils/util.go b/std/recursion/gkr/utils/util.go index 068fa6d0a5..542106240d 100644 --- a/std/recursion/gkr/utils/util.go +++ b/std/recursion/gkr/utils/util.go @@ -11,6 +11,38 @@ import ( "github.com/stretchr/testify/assert" ) +func SliceToBigIntSlice[T any](slice []T) ([]big.Int, error) { + elementSlice := make([]big.Int, len(slice)) + for i, v := range slice { + switch v := any(v).(type) { + case float64: + elementSlice[i] = *big.NewInt(int64(v)) + default: + return nil, fmt.Errorf("unsupported type: %T", v) + } + } + return elementSlice, nil +} + +func ConvertToBigIntSlice(input []big.Int) []*big.Int { + output := make([]*big.Int, len(input)) + for i := range input { + output[i] = &input[i] + } + return output +} + +func SliceEqualsBigInt(a []big.Int, b []big.Int) error { + if len(a) != len(b) { + return fmt.Errorf("length mismatch %d≠%d", len(a), len(b)) + } + for i := range a { + if a[i].Cmp(&b[i]) != 0 { + return fmt.Errorf("at index %d: %s ≠ %s", i, a[i].String(), b[i].String()) + } + } + return nil +} func ToVariableFr[FR emulated.FieldParams](v interface{}) emulated.Element[FR] { switch vT := v.(type) { diff --git a/std/recursion/sumcheck/claimable_gate.go b/std/recursion/sumcheck/claimable_gate.go index 0d5d572ce7..1e1bbac602 100644 --- a/std/recursion/sumcheck/claimable_gate.go +++ b/std/recursion/sumcheck/claimable_gate.go @@ -251,7 +251,7 @@ func (g *nativeGateClaim) Combine(coeff *big.Int) NativePolynomial { for k := 1; k < nbClaims; k++ { newEq[0] = g.engine.One() - g.eq = eqAcc(g.engine, g.eq, newEq, g.evaluationPoints[k]) + g.eq = EqAcc(g.engine, g.eq, newEq, g.evaluationPoints[k]) if k+1 < nbClaims { aI = g.engine.Mul(aI, coeff) } diff --git a/std/recursion/sumcheck/polynomial.go b/std/recursion/sumcheck/polynomial.go index 7ade42e22b..883b2be2f8 100644 --- a/std/recursion/sumcheck/polynomial.go +++ b/std/recursion/sumcheck/polynomial.go @@ -76,7 +76,7 @@ func Eval(api *BigIntEngine, ml NativeMultilinear, r []*big.Int) *big.Int { return mlCopy[0] } -func eqAcc(api *BigIntEngine, e NativeMultilinear, m NativeMultilinear, q []*big.Int) NativeMultilinear { +func EqAcc(api *BigIntEngine, e NativeMultilinear, m NativeMultilinear, q []*big.Int) NativeMultilinear { if len(e) != len(m) { panic("length mismatch") } diff --git a/std/recursion/sumcheck/proof.go b/std/recursion/sumcheck/proof.go index bf1f93bdce..a651afcffe 100644 --- a/std/recursion/sumcheck/proof.go +++ b/std/recursion/sumcheck/proof.go @@ -29,8 +29,9 @@ type NativeProof struct { // - if it is deferred, then it is a slice. type EvaluationProof any -// evaluationProof for gkr +// evaluationProof for gkr type DeferredEvalProof[FR emulated.FieldParams] []emulated.Element[FR] +type NativeDeferredEvalProof []big.Int type NativeEvaluationProof any @@ -39,7 +40,7 @@ func ValueOfProof[FR emulated.FieldParams](nproof NativeProof) Proof[FR] { finaleval := nproof.FinalEvalProof if finaleval != nil { switch v := finaleval.(type) { - case []big.Int: + case NativeDeferredEvalProof: deferredEval := make(DeferredEvalProof[FR], len(v)) for i := range v { deferredEval[i] = emulated.ValueOf[FR](v[i]) diff --git a/std/sumcheck/sumcheck.go b/std/sumcheck/sumcheck.go index de3689cbb8..cf290f4aef 100644 --- a/std/sumcheck/sumcheck.go +++ b/std/sumcheck/sumcheck.go @@ -20,7 +20,7 @@ type LazyClaims interface { // Proof of a multi-sumcheck statement. type Proof struct { - PartialSumPolys []polynomial.Polynomial + RoundPolyEvaluations []polynomial.Polynomial FinalEvalProof interface{} } @@ -83,18 +83,17 @@ func Verify(api frontend.API, claims LazyClaims, proof Proof, transcriptSettings gJ := make(polynomial.Polynomial, maxDegree+1) //At the end of iteration j, gJ = ∑_{i < 2ⁿ⁻ʲ⁻¹} g(X₁, ..., Xⱼ₊₁, i...) NOTE: n is shorthand for claims.VarsNum() gJR := claims.CombinedSum(api, combinationCoeff) // At the beginning of iteration j, gJR = ∑_{i < 2ⁿ⁻ʲ} g(r₁, ..., rⱼ, i...) - for j := 0; j < claims.VarsNum(); j++ { - partialSumPoly := proof.PartialSumPolys[j] //proof.PartialSumPolys(j) - if len(partialSumPoly) != claims.Degree(j) { + roundPolyEvaluation := proof.RoundPolyEvaluations[j] //proof.RoundPolyEvaluations(j) + if len(roundPolyEvaluation) != claims.Degree(j) { return fmt.Errorf("malformed proof") //Malformed proof } - copy(gJ[1:], partialSumPoly) - gJ[0] = api.Sub(gJR, partialSumPoly[0]) // Requirement that gⱼ(0) + gⱼ(1) = gⱼ₋₁(r) + copy(gJ[1:], roundPolyEvaluation) + gJ[0] = api.Sub(gJR, roundPolyEvaluation[0]) // Requirement that gⱼ(0) + gⱼ(1) = gⱼ₋₁(r) // gJ is ready //Prepare for the next iteration - if r[j], err = next(transcript, proof.PartialSumPolys[j], &remainingChallengeNames); err != nil { + if r[j], err = next(transcript, proof.RoundPolyEvaluations[j], &remainingChallengeNames); err != nil { return err } From 93e787cb8be048c6dee94e152a68a6cd018c8984 Mon Sep 17 00:00:00 2001 From: ak36 Date: Sat, 29 Jun 2024 01:28:20 -0400 Subject: [PATCH 19/26] single identity gate passes testgkr --- .gotestfmt/downloads.gotpl | 36 --------- .gotestfmt/package.gotpl | 42 ---------- std/gkr/gkr_test.go | 7 +- std/recursion/gkr/gkr_nonnative.go | 97 +++++++++--------------- std/recursion/gkr/gkr_nonnative_test.go | 3 +- std/recursion/sumcheck/arithengine.go | 2 +- std/recursion/sumcheck/claimable_gate.go | 2 +- 7 files changed, 45 insertions(+), 144 deletions(-) delete mode 100644 .gotestfmt/downloads.gotpl delete mode 100644 .gotestfmt/package.gotpl diff --git a/.gotestfmt/downloads.gotpl b/.gotestfmt/downloads.gotpl deleted file mode 100644 index ca1cf92f55..0000000000 --- a/.gotestfmt/downloads.gotpl +++ /dev/null @@ -1,36 +0,0 @@ -{{- /*gotype: github.com/gotesttools/gotestfmt/v2/parser.Downloads*/ -}} -{{- /* -This template contains the format for a package download. -*/ -}} -{{- $settings := .Settings -}} -{{- if or .Packages .Reason -}} - {{- if or (not .Settings.HideSuccessfulDownloads) .Failed -}} - {{- if .Failed -}} - ❌ - {{- else -}} - 📥 - {{- end -}} - {{ " " }} Dependency downloads - {{ "\n" -}} - - {{- range .Packages -}} - {{- if or (not $settings.HideSuccessfulDownloads) .Failed -}} - {{- " " -}} - {{- if .Failed -}} - ❌ - {{- else -}} - 📦 - {{- end -}} - {{- " " -}} - {{- .Package }} {{ .Version -}} - {{- "\n" -}} - {{ with .Reason -}} - {{- " " -}}{{ . -}}{{ "\n" -}} - {{- end -}} - {{- end -}} - {{- end -}} - {{- with .Reason -}} - {{- " " -}}🛑 {{ . }}{{ "\n" -}} - {{- end -}} - {{- end -}} -{{- end -}} diff --git a/.gotestfmt/package.gotpl b/.gotestfmt/package.gotpl deleted file mode 100644 index 504949a86b..0000000000 --- a/.gotestfmt/package.gotpl +++ /dev/null @@ -1,42 +0,0 @@ -{{- /*gotype: github.com/gotesttools/gotestfmt/v2/parser.Package*/ -}} - -{{- $settings := .Settings -}} -{{- if and (or (not $settings.HideSuccessfulPackages) (ne .Result "PASS")) (or (not $settings.HideEmptyPackages) (ne .Result "SKIP") (ne (len .TestCases) 0)) -}} - 📦 `{{ .Name }}` - {{- with .Coverage -}} - ({{ . }}% coverage) - {{- end -}} - {{- "\n" -}} - {{- with .Reason -}} - {{- " " -}}🛑 {{ . -}}{{- "\n" -}} - {{- end -}} - {{- with .Output -}} - ```{{- "\n" -}} - {{- . -}}{{- "\n" -}} - ```{{- "\n" -}} - {{- end -}} - {{- with .TestCases -}} - {{- range . -}} - {{- if or (not $settings.HideSuccessfulTests) (ne .Result "PASS") -}} - {{- if eq .Result "PASS" -}} - ✅ - {{- else if eq .Result "SKIP" -}} - 🚧 - {{- else -}} - ❌ - {{- end -}} - {{ " " }}`{{- .Name -}}` {{ .Duration -}} - {{- "\n" -}} - - {{- with .Output -}} - ```{{- "\n" -}} - {{- formatTestOutput . $settings -}}{{- "\n" -}} - ```{{- "\n" -}} - {{- end -}} - - {{- "\n" -}} - {{- end -}} - {{- end -}} - {{- end -}} - {{- "\n" -}} -{{- end -}} diff --git a/std/gkr/gkr_test.go b/std/gkr/gkr_test.go index a9206aeda8..f077c7753d 100644 --- a/std/gkr/gkr_test.go +++ b/std/gkr/gkr_test.go @@ -7,6 +7,7 @@ import ( "path/filepath" "reflect" "testing" + "math/big" "github.com/consensys/gnark/backend" "github.com/consensys/gnark/frontend" @@ -134,7 +135,7 @@ func (c *GkrVerifierCircuit) Define(api frontend.API) error { func makeInOutAssignment(c Circuit, inputValues [][]frontend.Variable, outputValues [][]frontend.Variable) WireAssignment { sorted := topologicalSort(c) - res := make(WireAssignment, len(inputValues)+len(outputValues)) + res := make(WireAssignment, len(inputValues) + len(outputValues)) inI, outI := 0, 0 for _, w := range sorted { if w.IsInput() { @@ -165,8 +166,8 @@ type TestCase struct { type TestCaseInfo struct { Hash HashDescription `json:"hash"` Circuit string `json:"circuit"` - Input [][]interface{} `json:"input"` - Output [][]interface{} `json:"output"` + Input [][]big.Int `json:"input"` + Output [][]big.Int `json:"output"` Proof PrintableProof `json:"proof"` } diff --git a/std/recursion/gkr/gkr_nonnative.go b/std/recursion/gkr/gkr_nonnative.go index f517d11054..71501f4172 100644 --- a/std/recursion/gkr/gkr_nonnative.go +++ b/std/recursion/gkr/gkr_nonnative.go @@ -5,7 +5,6 @@ import ( "math/big" "slices" "strconv" - cryptofiatshamir "github.com/consensys/gnark-crypto/fiat-shamir" "github.com/consensys/gnark-crypto/utils" "github.com/consensys/gnark/frontend" @@ -136,8 +135,32 @@ type eqTimesGateEvalSumcheckLazyClaimsEmulated[FR emulated.FieldParams] struct { engine *sumcheck.EmuEngine[FR] } -func (e *eqTimesGateEvalSumcheckLazyClaimsEmulated[FR]) VerifyFinalEval(r []emulated.Element[FR], combinationCoeff, purportedValue emulated.Element[FR], proof sumcheck.DeferredEvalProof[FR]) error { - inputEvaluationsNoRedundancy := proof +func (e *eqTimesGateEvalSumcheckLazyClaimsEmulated[FR]) NbClaims() int { + return len(e.evaluationPoints) +} + +func (e *eqTimesGateEvalSumcheckLazyClaimsEmulated[FR]) NbVars() int { + return len(e.evaluationPoints[0]) +} + +func (e *eqTimesGateEvalSumcheckLazyClaimsEmulated[FR]) CombinedSum(a *emulated.Element[FR]) *emulated.Element[FR] { + evalsAsPoly := polynomial.Univariate[FR](e.claimedEvaluations) + return e.verifier.p.EvalUnivariate(evalsAsPoly, a) +} + +func (e *eqTimesGateEvalSumcheckLazyClaimsEmulated[FR]) Degree(int) int { + return 1 + e.wire.Gate.Degree() +} + +func (e *eqTimesGateEvalSumcheckLazyClaimsEmulated[FR]) AssertEvaluation(r []*emulated.Element[FR], combinationCoeff, expectedValue *emulated.Element[FR], proof sumcheck.EvaluationProof) error { + inputEvaluationsNoRedundancy := proof.([]emulated.Element[FR]) + // switch proof := proof.(type) { + // case []emulated.Element[FR]: + // fmt.Println("proof type: []emulated.Element") + // inputEvaluationsNoRedundancy = sumcheck.DeferredEvalProof[FR](proof) + // default: + // return fmt.Errorf("proof is not a DeferredEvalProof") + // } field, err := emulated.NewField[FR](e.verifier.api) if err != nil { return fmt.Errorf("failed to create field: %w", err) @@ -149,17 +172,17 @@ func (e *eqTimesGateEvalSumcheckLazyClaimsEmulated[FR]) VerifyFinalEval(r []emul // the eq terms numClaims := len(e.evaluationPoints) - evaluation := p.EvalEqual(polynomial.FromSlice(e.evaluationPoints[numClaims-1]), polynomial.FromSlice(r)) + evaluation := p.EvalEqual(polynomial.FromSlice(e.evaluationPoints[numClaims-1]), r) for i := numClaims - 2; i >= 0; i-- { - evaluation = field.Mul(evaluation, &combinationCoeff) - eq := p.EvalEqual(polynomial.FromSlice(e.evaluationPoints[i]), polynomial.FromSlice(r)) + evaluation = field.Mul(evaluation, combinationCoeff) + eq := p.EvalEqual(polynomial.FromSlice(e.evaluationPoints[i]), r) evaluation = field.Add(evaluation, eq) } // the g(...) term var gateEvaluation emulated.Element[FR] if e.wire.IsInput() { - gateEvaluationPtr, err := p.EvalMultilinear(polynomial.FromSlice(r), e.manager.assignment[e.wire]) + gateEvaluationPtr, err := p.EvalMultilinear(r, e.manager.assignment[e.wire]) if err != nil { return err } @@ -176,7 +199,7 @@ func (e *eqTimesGateEvalSumcheckLazyClaimsEmulated[FR]) VerifyFinalEval(r []emul indexesInProof[in] = indexInProof // defer verification, store new claim - e.manager.add(in, r, inputEvaluationsNoRedundancy[indexInProof]) + e.manager.add(in, polynomial.FromSliceReferences(r), inputEvaluationsNoRedundancy[indexInProof]) proofI++ } inputEvaluations[inI] = inputEvaluationsNoRedundancy[indexInProof] @@ -188,41 +211,10 @@ func (e *eqTimesGateEvalSumcheckLazyClaimsEmulated[FR]) VerifyFinalEval(r []emul } evaluation = field.Mul(evaluation, &gateEvaluation) - field.AssertIsEqual(evaluation, &purportedValue) + field.AssertIsEqual(evaluation, expectedValue) return nil } -func (e *eqTimesGateEvalSumcheckLazyClaimsEmulated[FR]) NbClaims() int { - return len(e.evaluationPoints) -} - -func (e *eqTimesGateEvalSumcheckLazyClaimsEmulated[FR]) NbVars() int { - return len(e.evaluationPoints[0]) -} - -func (e *eqTimesGateEvalSumcheckLazyClaimsEmulated[FR]) CombinedSum(a *emulated.Element[FR]) *emulated.Element[FR] { - evalsAsPoly := polynomial.Univariate[FR](e.claimedEvaluations) - return e.verifier.p.EvalUnivariate(evalsAsPoly, a) -} - -func (e *eqTimesGateEvalSumcheckLazyClaimsEmulated[FR]) Degree(int) int { - return 1 + e.wire.Gate.Degree() -} - -func (e *eqTimesGateEvalSumcheckLazyClaimsEmulated[FR]) AssertEvaluation(r []*emulated.Element[FR], combinationCoeff, expectedValue *emulated.Element[FR], proof sumcheck.EvaluationProof) error { - field, err := emulated.NewField[FR](e.verifier.api) - if err != nil { - return fmt.Errorf("failed to create field: %w", err) - } - val, err := e.verifier.p.EvalMultilinear(r, e.manager.assignment[e.wire]) - if err != nil { - return fmt.Errorf("evaluation error: %w", err) - } - - field.AssertIsEqual(val, expectedValue) - return nil -} - type claimsManagerEmulated[FR emulated.FieldParams] struct { claimsMap map[*WireEmulated[FR]]*eqTimesGateEvalSumcheckLazyClaimsEmulated[FR] assignment WireAssignmentEmulated[FR] @@ -231,7 +223,10 @@ type claimsManagerEmulated[FR emulated.FieldParams] struct { func newClaimsManagerEmulated[FR emulated.FieldParams](c CircuitEmulated[FR], assignment WireAssignmentEmulated[FR], verifier GKRVerifier[FR]) (claims claimsManagerEmulated[FR]) { claims.assignment = assignment claims.claimsMap = make(map[*WireEmulated[FR]]*eqTimesGateEvalSumcheckLazyClaimsEmulated[FR], len(c)) - + engine, err := sumcheck.NewEmulatedEngine[FR](verifier.api) + if err != nil { + panic(err) + } for i := range c { wire := &c[i] @@ -241,6 +236,7 @@ func newClaimsManagerEmulated[FR emulated.FieldParams](c CircuitEmulated[FR], as claimedEvaluations: make(polynomial.Multilinear[FR], wire.NbClaims()), manager: &claims, verifier: &verifier, + engine: engine, } } return @@ -284,14 +280,10 @@ func newClaimsManager(c Circuit, assignment WireAssignment) (claims claimsManage } func (m *claimsManager) add(wire *Wire, evaluationPoint []big.Int, evaluation big.Int) { - println("claim add") claim := m.claimsMap[wire] i := len(claim.evaluationPoints) - println("len claim.evaluationPoints before", i) - fmt.Printf("evaluation: %v\n", evaluation) claim.claimedEvaluations[i] = evaluation claim.evaluationPoints = append(claim.evaluationPoints, evaluationPoint) - println("len claim.evaluationPoints after", len(claim.evaluationPoints)) } func (m *claimsManager) getClaim(engine *sumcheck.BigIntEngine, wire *Wire) *eqTimesGateEvalSumcheckClaims { @@ -805,11 +797,9 @@ func Prove(current *big.Int, target *big.Int, c Circuit, assignment WireAssignme var baseChallenge []*big.Int for i := len(c) - 1; i >= 0; i-- { - println("i", i) wire := o.sorted[i] if wire.IsOutput() { - println("wire is output prove i ", i) evaluation := sumcheck.Eval(be, assignment[wire], firstChallenge) claims.add(wire, sumcheck.DereferenceBigIntSlice(firstChallenge), *evaluation) } @@ -819,7 +809,6 @@ func Prove(current *big.Int, target *big.Int, c Circuit, assignment WireAssignme finalEvalProof := proof[i].FinalEvalProof if wire.noProof() { // input wires with one claim only - println("wire is input prove i ", i) proof[i] = sumcheck.NativeProof{ RoundPolyEvaluations: []sumcheck.NativePolynomial{}, FinalEvalProof: finalEvalProof, @@ -879,9 +868,7 @@ func (v *GKRVerifier[FR]) Verify(api frontend.API, c CircuitEmulated[FR], assign var baseChallenge []emulated.Element[FR] for i := len(c) - 1; i >= 0; i-- { wire := o.sorted[i] - println("i", i) if wire.IsOutput() { - println("wire is output verify i ", i) var evaluation emulated.Element[FR] evaluationPtr, err := v.p.EvalMultilinear(polynomial.FromSlice(firstChallenge), assignment[wire]) if err != nil { @@ -895,17 +882,9 @@ func (v *GKRVerifier[FR]) Verify(api frontend.API, c CircuitEmulated[FR], assign finalEvalProof := proofW.FinalEvalProof claim := claims.getLazyClaim(wire) - println("len(claim.evaluationPoints)", len(claim.evaluationPoints)) - if len(claim.evaluationPoints) > 0 { - println("len(claim.evaluationPoints[0])", len(claim.evaluationPoints[0])) - } else { - println("claim.evaluationPoints is empty") - } - if wire.noProof() { // input wires with one claim only // make sure the proof is empty // make sure finalevalproof is of type deferred for gkr - println("wire is input verify i ", i) var proofLen int switch proof := finalEvalProof.(type) { case []emulated.Element[FR]: @@ -920,8 +899,6 @@ func (v *GKRVerifier[FR]) Verify(api frontend.API, c CircuitEmulated[FR], assign if wire.NbClaims() == 1 { // input wire // simply evaluate and see if it matches - println("wire is input verify i ", i) - //println("claim.claimedEvaluations[0]", claim.claimedEvaluations[0].Limbs) var evaluation emulated.Element[FR] evaluationPtr, err := v.p.EvalMultilinear(polynomial.FromSlice(claim.evaluationPoints[0]), assignment[wire]) if err != nil { diff --git a/std/recursion/gkr/gkr_nonnative_test.go b/std/recursion/gkr/gkr_nonnative_test.go index 4712505531..2904f13e48 100644 --- a/std/recursion/gkr/gkr_nonnative_test.go +++ b/std/recursion/gkr/gkr_nonnative_test.go @@ -467,7 +467,7 @@ func TestGkrVectorsEmulated(t *testing.T) { noExt := dirEntry.Name()[:len(dirEntry.Name())-len(".json")] t.Run(noExt, generateTestProver(path, *current, *fr.Modulus())) - //t.Run(noExt, generateTestVerifier[emparams.BN254Fp](path)) + t.Run(noExt, generateTestVerifier[emparams.BN254Fp](path)) } } } @@ -516,6 +516,7 @@ func generateVerifier[FR emulated.FieldParams](Input [][]emulated.Element[FR], O fillWithBlanks(invalidCircuit.Output, len(Input[0])) assert.CheckCircuit(validCircuit, test.WithCurves(ecc.BN254), test.WithBackends(backend.GROTH16), test.WithValidAssignment(assignment)) + //test.IsSolved(validCircuit, test.WithCurves(ecc.BN254), test.WithBackends(backend.GROTH16), test.WithValidAssignment(assignment)) // assert.CheckCircuit(invalidCircuit, test.WithCurves(ecc.BN254), test.WithBackends(backend.GROTH16), test.WithInvalidAssignment(assignment)) } } diff --git a/std/recursion/sumcheck/arithengine.go b/std/recursion/sumcheck/arithengine.go index 9743804a7a..2c2fedb28b 100644 --- a/std/recursion/sumcheck/arithengine.go +++ b/std/recursion/sumcheck/arithengine.go @@ -88,7 +88,7 @@ func (ee *EmuEngine[FR]) Const(i *big.Int) *emulated.Element[FR] { return ee.f.NewElement(i) } -func newEmulatedEngine[FR emulated.FieldParams](api frontend.API) (*EmuEngine[FR], error) { +func NewEmulatedEngine[FR emulated.FieldParams](api frontend.API) (*EmuEngine[FR], error) { f, err := emulated.NewField[FR](api) if err != nil { return nil, fmt.Errorf("new field: %w", err) diff --git a/std/recursion/sumcheck/claimable_gate.go b/std/recursion/sumcheck/claimable_gate.go index 1e1bbac602..ad2a3d3a45 100644 --- a/std/recursion/sumcheck/claimable_gate.go +++ b/std/recursion/sumcheck/claimable_gate.go @@ -71,7 +71,7 @@ func newGate[FR emulated.FieldParams](api frontend.API, gate gate[*EmuEngine[FR] if err != nil { return nil, fmt.Errorf("new polynomial: %w", err) } - engine, err := newEmulatedEngine[FR](api) + engine, err := NewEmulatedEngine[FR](api) if err != nil { return nil, fmt.Errorf("new emulated engine: %w", err) } From b091b79c42accaf6392b18cc3d47623d3b0d40d2 Mon Sep 17 00:00:00 2001 From: ak36 Date: Wed, 3 Jul 2024 21:20:50 -0400 Subject: [PATCH 20/26] testgkr passes --- std/math/emulated/field_mul.go | 101 ++- std/math/emulated/field_ops.go | 36 +- std/recursion/gkr/gkr_nonnative.go | 68 +- std/recursion/gkr/gkr_nonnative_test.go | 795 +++--------------- ...nput_two_identity_gates_two_instances.json | 56 -- .../single_input_two_outs_two_instances.json | 57 -- .../single_mimc_gate_two_instances.json | 89 ++ .../single_mul_gate_two_instances.json | 46 - ...s_composed_single_input_two_instances.json | 47 -- ...uts_select-input-3_gate_two_instances.json | 65 ++ .../single_identity_gate_two_instances.json | 28 +- ...nput_two_identity_gates_two_instances.json | 96 +++ .../single_input_two_outs_two_instances.json | 102 +++ .../single_mul_gate_two_instances.json | 71 ++ ...s_composed_single_input_two_instances.json | 77 ++ std/recursion/gkr/utils/util.go | 146 +--- std/recursion/sumcheck/polynomial.go | 17 + std/recursion/sumcheck/prover.go | 2 +- ...armul_gates_test.go => scalarmul_gates.go} | 44 +- .../{sumcheck_test.go => sumcheck.go} | 0 20 files changed, 820 insertions(+), 1123 deletions(-) delete mode 100644 std/recursion/gkr/test_vectors/resources/single_input_two_identity_gates_two_instances.json delete mode 100644 std/recursion/gkr/test_vectors/resources/single_input_two_outs_two_instances.json create mode 100644 std/recursion/gkr/test_vectors/resources/single_mimc_gate_two_instances.json delete mode 100644 std/recursion/gkr/test_vectors/resources/single_mul_gate_two_instances.json delete mode 100644 std/recursion/gkr/test_vectors/resources/two_identity_gates_composed_single_input_two_instances.json create mode 100644 std/recursion/gkr/test_vectors/resources/two_inputs_select-input-3_gate_two_instances.json create mode 100644 std/recursion/gkr/test_vectors/single_input_two_identity_gates_two_instances.json create mode 100644 std/recursion/gkr/test_vectors/single_input_two_outs_two_instances.json create mode 100644 std/recursion/gkr/test_vectors/single_mul_gate_two_instances.json create mode 100644 std/recursion/gkr/test_vectors/two_identity_gates_composed_single_input_two_instances.json rename std/recursion/sumcheck/{scalarmul_gates_test.go => scalarmul_gates.go} (93%) rename std/recursion/sumcheck/{sumcheck_test.go => sumcheck.go} (100%) diff --git a/std/math/emulated/field_mul.go b/std/math/emulated/field_mul.go index 278b9a5024..abc0f3dd87 100644 --- a/std/math/emulated/field_mul.go +++ b/std/math/emulated/field_mul.go @@ -115,47 +115,98 @@ func (mc *mulCheck[T]) cleanEvaluations() { // mulMod returns a*b mod r. In practice it computes the result using a hint and // defers the actual multiplication check. func (f *Field[T]) mulMod(a, b *Element[T], _ uint, p *Element[T]) *Element[T] { - f.enforceWidthConditional(a) - f.enforceWidthConditional(b) - f.enforceWidthConditional(p) - k, r, c, err := f.callMulHint(a, b, true, p) - if err != nil { - panic(err) - } - mc := mulCheck[T]{ - f: f, - a: a, - b: b, - c: c, - k: k, - r: r, - p: p, - } - f.mulChecks = append(f.mulChecks, mc) - return r + return f.mulModProfiling(a, b, p, true) + // f.enforceWidthConditional(a) + // f.enforceWidthConditional(b) + // f.enforceWidthConditional(p) + //k, r, c, err := f.callMulHint(a, b, true, p) + // if err != nil { + // panic(err) + // } + // mc := mulCheck[T]{ + // f: f, + // a: a, + // b: b, + // c: c, + // k: k, + // r: r, + // p: p, + // } + // f.mulChecks = append(f.mulChecks, mc) + // return r } // checkZero creates multiplication check a * 1 = 0 + k*p. func (f *Field[T]) checkZero(a *Element[T], p *Element[T]) { + f.mulModProfiling(a, f.shortOne(), p, false) // the method works similarly to mulMod, but we know that we are multiplying // by one and expected result should be zero. + // f.enforceWidthConditional(a) + // f.enforceWidthConditional(p) + // b := f.shortOne() + // k, r, c, err := f.callMulHint(a, b, false, p) + // if err != nil { + // panic(err) + // } + // mc := mulCheck[T]{ + // f: f, + // a: a, + // b: b, // one on single limb to speed up the polynomial evaluation + // c: c, + // k: k, + // r: r, // expected to be zero on zero limbs. + // p: p, + // } + // f.mulChecks = append(f.mulChecks, mc) +} + +func (f *Field[T]) mulModProfiling(a, b *Element[T], p *Element[T], isMulMod bool) *Element[T] { f.enforceWidthConditional(a) - f.enforceWidthConditional(p) - b := f.shortOne() - k, r, c, err := f.callMulHint(a, b, false, p) + f.enforceWidthConditional(b) + k, r, c, err := f.callMulHint(a, b, isMulMod, p) if err != nil { panic(err) } mc := mulCheck[T]{ f: f, a: a, - b: b, // one on single limb to speed up the polynomial evaluation + b: b, c: c, k: k, - r: r, // expected to be zero on zero limbs. - p: p, + r: r, } - f.mulChecks = append(f.mulChecks, mc) + var toCommit []frontend.Variable + toCommit = append(toCommit, mc.a.Limbs...) + toCommit = append(toCommit, mc.b.Limbs...) + toCommit = append(toCommit, mc.r.Limbs...) + toCommit = append(toCommit, mc.k.Limbs...) + toCommit = append(toCommit, mc.c.Limbs...) + multicommit.WithCommitment(f.api, func(api frontend.API, commitment frontend.Variable) error { + // we do nothing. We just want to ensure that we count the commitments + return nil + }, toCommit...) + // XXX: or use something variable to count the commitments and constraints properly. Maybe can use 123 from hint? + commitment := 123 + + // for efficiency, we compute all powers of the challenge as slice at. + coefsLen := max(len(mc.a.Limbs), len(mc.b.Limbs), + len(mc.c.Limbs), len(mc.k.Limbs)) + at := make([]frontend.Variable, coefsLen) + at[0] = commitment + for i := 1; i < len(at); i++ { + at[i] = f.api.Mul(at[i-1], commitment) + } + mc.evalRound1(at) + mc.evalRound2(at) + // evaluate p(X) at challenge + pval := f.evalWithChallenge(f.Modulus(), at) + // compute (2^t-X) at challenge + coef := big.NewInt(1) + coef.Lsh(coef, f.fParams.BitsPerLimb()) + ccoef := f.api.Sub(coef, commitment) + // verify all mulchecks + mc.check(f.api, pval.evaluation, ccoef) + return r } // evalWithChallenge represents element a as a polynomial a(X) and evaluates at diff --git a/std/math/emulated/field_ops.go b/std/math/emulated/field_ops.go index a9f0d9cda3..62f5f6e450 100644 --- a/std/math/emulated/field_ops.go +++ b/std/math/emulated/field_ops.go @@ -4,7 +4,7 @@ import ( "errors" "fmt" "math/bits" - + "math/big" "github.com/consensys/gnark/frontend" "github.com/consensys/gnark/std/selector" ) @@ -368,3 +368,37 @@ type overflowError struct { func (e overflowError) Error() string { return fmt.Sprintf("op %s overflow %d exceeds max %d", e.op, e.nextOverflow, e.maxOverflow) } + +func (f *Field[T]) String(a *Element[T]) string { + // for debug only, if is not test engine then no-op + var fp T + blimbs := make([]*big.Int, len(a.Limbs)) + for i, v := range a.Limbs { + switch vv := v.(type) { + case *big.Int: + blimbs[i] = vv + case big.Int: + blimbs[i] = &vv + case int: + blimbs[i] = new(big.Int) + blimbs[i].SetInt64(int64(vv)) + case uint: + blimbs[i] = new(big.Int) + blimbs[i].SetUint64(uint64(vv)) + default: + return "???" + } + } + res := new(big.Int) + err := recompose(blimbs, fp.BitsPerLimb(), res) + if err != nil { + return "!!!" + } + reduced := new(big.Int).Mod(res, fp.Modulus()) + return reduced.String() +} + +func (f *Field[T]) Println(a *Element[T]) { + res := f.String(a) + fmt.Println(res) +} \ No newline at end of file diff --git a/std/recursion/gkr/gkr_nonnative.go b/std/recursion/gkr/gkr_nonnative.go index 71501f4172..fd25f184ff 100644 --- a/std/recursion/gkr/gkr_nonnative.go +++ b/std/recursion/gkr/gkr_nonnative.go @@ -1,4 +1,4 @@ -package sumcheck +package gkr import ( "fmt" @@ -17,15 +17,6 @@ import ( "github.com/consensys/gnark/std/recursion/sumcheck" ) -// @tabaie TODO: Contains many things copy-pasted from gnark-crypto. Generify somehow? - -// The goal is to prove/verify evaluations of many instances of the same circuit - -// type gateinput struct { -// api arithEngine -// element ...emulated.Element -// } - // Gate must be a low-degree polynomial type Gate interface { Evaluate(*sumcheck.BigIntEngine, ...*big.Int) *big.Int @@ -154,13 +145,6 @@ func (e *eqTimesGateEvalSumcheckLazyClaimsEmulated[FR]) Degree(int) int { func (e *eqTimesGateEvalSumcheckLazyClaimsEmulated[FR]) AssertEvaluation(r []*emulated.Element[FR], combinationCoeff, expectedValue *emulated.Element[FR], proof sumcheck.EvaluationProof) error { inputEvaluationsNoRedundancy := proof.([]emulated.Element[FR]) - // switch proof := proof.(type) { - // case []emulated.Element[FR]: - // fmt.Println("proof type: []emulated.Element") - // inputEvaluationsNoRedundancy = sumcheck.DeferredEvalProof[FR](proof) - // default: - // return fmt.Errorf("proof is not a DeferredEvalProof") - // } field, err := emulated.NewField[FR](e.verifier.api) if err != nil { return fmt.Errorf("failed to create field: %w", err) @@ -209,6 +193,7 @@ func (e *eqTimesGateEvalSumcheckLazyClaimsEmulated[FR]) AssertEvaluation(r []*em } gateEvaluation = *e.wire.Gate.Evaluate(e.engine, polynomial.FromSlice(inputEvaluations)...) } + evaluation = field.Mul(evaluation, &gateEvaluation) field.AssertIsEqual(evaluation, expectedValue) @@ -302,7 +287,7 @@ func (m *claimsManager) getClaim(engine *sumcheck.BigIntEngine, wire *Wire) *eqT res.inputPreprocessors = make([]sumcheck.NativeMultilinear, len(wire.Inputs)) for inputI, inputW := range wire.Inputs { - res.inputPreprocessors[inputI] = m.assignment[inputW] //will be edited later, so must be deep copied + res.inputPreprocessors[inputI] = m.assignment[inputW].Clone() } } return res @@ -345,21 +330,21 @@ func (c *eqTimesGateEvalSumcheckClaims) Combine(combinationCoeff *big.Int) sumch // initialize the eq tables c.eq = make(sumcheck.NativeMultilinear, eqLength) - for i := 1; i < eqLength; i++ { + for i := 0; i < eqLength; i++ { c.eq[i] = new(big.Int) } c.eq[0] = c.engine.One() sumcheck.Eq(c.engine, c.eq, sumcheck.ReferenceBigIntSlice(c.evaluationPoints[0])) newEq := make(sumcheck.NativeMultilinear, eqLength) - for i := 1; i < eqLength; i++ { + for i := 0; i < eqLength; i++ { newEq[i] = new(big.Int) } aI := new(big.Int).Set(combinationCoeff) for k := 1; k < claimsNum; k++ { // TODO: parallelizable? // define eq_k = aᵏ eq(x_k1, ..., x_kn, *, ..., *) where x_ki are the evaluation points - newEq[0].Set(aI) // check if this is one or ai + newEq[0].Set(aI) sumcheck.EqAcc(c.engine, c.eq, newEq, sumcheck.ReferenceBigIntSlice(c.evaluationPoints[k])) if k+1 < claimsNum { aI.Mul(aI, combinationCoeff) @@ -450,8 +435,9 @@ func (c *eqTimesGateEvalSumcheckClaims) ProverFinalEval(r []*big.Int) sumcheck.N if _, found := noMoreClaimsAllowed[in]; !found { noMoreClaimsAllowed[in] = struct{}{} sumcheck.Fold(c.engine, puI, r[len(r)-1]) - c.manager.add(in, sumcheck.DereferenceBigIntSlice(r), *puI[0]) - evaluations = append(evaluations, *puI[0]) + puI0 := new(big.Int).Set(puI[0]) + c.manager.add(in, sumcheck.DereferenceBigIntSlice(r), *puI0) + evaluations = append(evaluations, *puI0) } } @@ -533,20 +519,6 @@ func WithSortedCircuitEmulated[FR emulated.FieldParams](sorted []*WireEmulated[F } } -// type config struct { -// prefix string -// } - -// func newConfig(opts ...sumcheck.Option) (*config, error) { -// cfg := new(config) -// for i := range opts { -// if err := opts[i](cfg); err != nil { -// return nil, fmt.Errorf("apply option %d: %w", i, err) -// } -// } -// return cfg, nil -// } - // Verifier allows to check sumcheck proofs. See [NewVerifier] for initializing the instance. type GKRVerifier[FR emulated.FieldParams] struct { api frontend.API @@ -1178,28 +1150,6 @@ func (a WireAssignmentEmulated[FR]) NumVars() int { panic("empty assignment") } -// func (p Proofs[FR]) Serialize() []emulated.Element[FR] { -// size := 0 -// for i := range p { -// for j := range p[i].RoundPolyEvaluations { -// size += len(p[i].RoundPolyEvaluations[j]) -// } -// size += len(p[i].FinalEvalProof.(sumcheck.DeferredEvalProof[FR])) -// } - -// res := make([]emulated.Element[FR], 0, size) -// for i := range p { -// for j := range p[i].RoundPolyEvaluations { -// res = append(res, p[i].RoundPolyEvaluations[j]...) -// } -// res = append(res, p[i].FinalEvalProof.(sumcheck.DeferredEvalProof[FR])...) -// } -// if len(res) != size { -// panic("bug") // TODO: Remove -// } -// return res -// } - func (p Proofs[FR]) Serialize() []emulated.Element[FR] { size := 0 for i := range p { diff --git a/std/recursion/gkr/gkr_nonnative_test.go b/std/recursion/gkr/gkr_nonnative_test.go index 2904f13e48..6b3304df99 100644 --- a/std/recursion/gkr/gkr_nonnative_test.go +++ b/std/recursion/gkr/gkr_nonnative_test.go @@ -1,458 +1,33 @@ -package sumcheck +package gkr import ( - "encoding/binary" "encoding/json" "fmt" gohash "hash" - "math" "os" "path/filepath" - "reflect" - - //"strconv" "math/big" "testing" "github.com/consensys/gnark-crypto/ecc" "github.com/consensys/gnark/backend" "github.com/consensys/gnark/frontend" - "github.com/consensys/gnark/frontend/cs/scs" fiatshamir "github.com/consensys/gnark/std/fiat-shamir" "github.com/consensys/gnark/std/math/emulated" "github.com/consensys/gnark/std/math/emulated/emparams" "github.com/consensys/gnark/std/recursion/gkr/utils" - - // "github.com/consensys/gnark/std/hash" "github.com/consensys/gnark/std/recursion" "github.com/consensys/gnark/std/recursion/sumcheck" "github.com/consensys/gnark/test" "github.com/stretchr/testify/assert" ) -// type FR = emulated.BN254Fp - var Gates = map[string]Gate{ "identity": IdentityGate[*sumcheck.BigIntEngine, *big.Int]{}, "add": AddGate[*sumcheck.BigIntEngine, *big.Int]{}, "mul": MulGate[*sumcheck.BigIntEngine, *big.Int]{}, } -// func TestNoGateTwoInstances(t *testing.T) { -// // Testing a single instance is not possible because the sumcheck implementation doesn't cover the trivial 0-variate case -// testNoGate(t, []emulated.Element[FR]{four, three}) -// } - -// func TestNoGate(t *testing.T) { -// testManyInstances(t, 1, testNoGate) -// } - - -// func TestSingleAddGate(t *testing.T) { -// testManyInstances(t, 2, testSingleAddGate) -// } - -// func TestSingleMulGateTwoInstances(t *testing.T) { -// testSingleMulGate(t, []emulated.Element[FR]{four, three}, []emulated.Element[FR]{two, three}) -// } - -// func TestSingleMulGate(t *testing.T) { -// testManyInstances(t, 2, testSingleMulGate) -// } - -// func TestSingleInputTwoIdentityGatesTwoInstances(t *testing.T) { - -// testSingleInputTwoIdentityGates(t, []fr.Element{two, three}) -// } - -// func TestSingleInputTwoIdentityGates(t *testing.T) { - -// testManyInstances(t, 2, testSingleInputTwoIdentityGates) -// } - -// func TestSingleInputTwoIdentityGatesComposedTwoInstances(t *testing.T) { -// testSingleInputTwoIdentityGatesComposed(t, []fr.Element{two, one}) -// } - -// func TestSingleInputTwoIdentityGatesComposed(t *testing.T) { -// testManyInstances(t, 1, testSingleInputTwoIdentityGatesComposed) -// } - -// func TestSingleMimcCipherGateTwoInstances(t *testing.T) { -// testSingleMimcCipherGate(t, []fr.Element{one, one}, []fr.Element{one, two}) -// } - -// func TestSingleMimcCipherGate(t *testing.T) { -// testManyInstances(t, 2, testSingleMimcCipherGate) -// } - -// func TestATimesBSquaredTwoInstances(t *testing.T) { -// testATimesBSquared(t, 2, []fr.Element{one, one}, []fr.Element{one, two}) -// } - -// func TestShallowMimcTwoInstances(t *testing.T) { -// testMimc(t, 2, []fr.Element{one, one}, []fr.Element{one, two}) -// } -// func TestMimcTwoInstances(t *testing.T) { -// testMimc(t, 93, []fr.Element{one, one}, []fr.Element{one, two}) -// } - -// func TestMimc(t *testing.T) { -// testManyInstances(t, 2, generateTestMimc(93)) -// } - -// func generateTestMimc(numRounds int) func(*testing.T, ...[]fr.Element) { -// return func(t *testing.T, inputAssignments ...[]fr.Element) { -// testMimc(t, numRounds, inputAssignments...) -// } -// } - -// func TestSumcheckFromSingleInputTwoIdentityGatesGateTwoInstances(t *testing.T) { -// circuit := Circuit{Wire{ -// Gate: IdentityGate{}, -// Inputs: []*Wire{}, -// nbUniqueOutputs: 2, -// }} - -// wire := &circuit[0] - -// assignment := WireAssignment{&circuit[0]: []fr.Element{two, three}} -// var o settings -// pool := polynomial.NewPool(256, 1<<11) -// workers := utils.NewWorkerPool() -// o.pool = &pool -// o.workers = workers - -// claimsManagerGen := func() *claimsManager { -// manager := newClaimsManager(circuit, assignment, o) -// manager.add(wire, []fr.Element{three}, five) -// manager.add(wire, []fr.Element{four}, six) -// return &manager -// } - -// transcriptGen := utils.NewMessageCounterGenerator(4, 1) - -// proof, err := sumcheck.Prove(claimsManagerGen().getClaim(wire), fiatshamir.WithHash(transcriptGen(), nil)) -// assert.NoError(t, err) -// err = sumcheck.Verify(claimsManagerGen().getLazyClaim(wire), proof, fiatshamir.WithHash(transcriptGen(), nil)) -// assert.NoError(t, err) -// } - -var one, two, three, four, five, six big.Int - -// func init() { -// one.SetOne() -// two.Double(&one) -// three.Add(&two, &one) -// four.Double(&two) -// five.Add(&three, &two) -// six.Double(&three) -// } - -// var testManyInstancesLogMaxInstances = -1 - -// func getLogMaxInstances(t *testing.T) int { -// if testManyInstancesLogMaxInstances == -1 { - -// s := os.Getenv("GKR_LOG_INSTANCES") -// if s == "" { -// testManyInstancesLogMaxInstances = 5 -// } else { -// var err error -// testManyInstancesLogMaxInstances, err = strconv.Atoi(s) -// if err != nil { -// t.Error(err) -// } -// } - -// } -// return testManyInstancesLogMaxInstances -// } - -// func testManyInstances(t *testing.T, numInput int, test func(*testing.T, ...[]emulated.Element[FR])) { -// fullAssignments := make([][]emulated.Element[FR], numInput) -// maxSize := 1 << getLogMaxInstances(t) - -// t.Log("Entered test orchestrator, assigning and randomizing inputs") - -// for i := range fullAssignments { -// fullAssignments[i] = make([]emulated.Element[FR], maxSize) -// setRandom(fullAssignments[i]) -// } - -// inputAssignments := make([][]emulated.Element[FR], numInput) -// for numEvals := maxSize; numEvals <= maxSize; numEvals *= 2 { -// for i, fullAssignment := range fullAssignments { -// inputAssignments[i] = fullAssignment[:numEvals] -// } - -// t.Log("Selected inputs for test") -// test(t, inputAssignments...) -// } -// } - -// func testNoGate(t *testing.T, inputAssignments ...[]*big.Int) { -// c := Circuit{ -// { -// Inputs: []*Wire{}, -// Gate: nil, -// }, -// } - -// assignment := WireAssignment{&c[0]: sumcheck.NativeMultilinear(inputAssignments[0])} -// assignmentEmulated := WireAssignmentEmulated[FR]{&c[0]: sumcheck.NativeMultilinear(inputAssignments[0])} - -// proof, err := Prove(c, assignment, fiatshamir.WithHash(utils.NewMessageCounter(1, 1))) -// assert.NoError(t, err) - -// // Even though a hash is called here, the proof is empty - -// err = Verify(c, assignment, proof, fiatshamir.WithHash(utils.NewMessageCounter(1, 1))) -// assert.NoError(t, err, "proof rejected") -// } - -func toEmulated[FR emulated.FieldParams](input [][]*big.Int) [][]emulated.Element[FR] { - output := make([][]emulated.Element[FR], len(input)) - for i, in := range input { - output[i] = make([]emulated.Element[FR], len(in)) - for j, in2 := range in { - output[i][j] = emulated.ValueOf[FR](*in2) - } - } - return output -} - -func TestSingleAddGateTwoInstances(t *testing.T) { - current := ecc.BN254.ScalarField() - type FR = emulated.BN254Fp - var fr FR - testSingleAddGate[FR](t, current, fr.Modulus(), []*big.Int{&four, &three}, []*big.Int{&two, &three}) -} - -func testSingleAddGate[FR emulated.FieldParams](t *testing.T, current *big.Int, target *big.Int, inputAssignments ...[]*big.Int) { - c := make(Circuit, 3) - c[2] = Wire{ - Gate: Gates["add"], - Inputs: []*Wire{&c[0], &c[1]}, - } - - be := sumcheck.NewBigIntEngine(current) - output := make([][]*big.Int, len(inputAssignments)) - for i, in := range inputAssignments { - output[i] = make([]*big.Int, len(in)) - for j, in2 := range in { - output[i][j] = Gates["add"].Evaluate(be, in2) - } - } - - assignment := WireAssignment{&c[0]: inputAssignments[0], &c[1]: inputAssignments[1]}.Complete(c, target) - - proof, err := Prove(current, target, c, assignment, fiatshamir.WithHashBigInt(utils.NewMessageCounter(1, 1))) - assert.NoError(t, err) - - proofEmulated := make(Proofs[FR], len(proof)) - for i, proof := range proof { - proofEmulated[i] = sumcheck.ValueOfProof[FR](proof) - } - - assignmentGkr := &GkrVerifierCircuitEmulated[FR]{ - Input: toEmulated[FR](inputAssignments), - Output: toEmulated[FR](output), - SerializedProof: proofEmulated.Serialize(), - ToFail: false, - } - - validCircuit := &GkrVerifierCircuitEmulated[FR]{ - Input: make([][]emulated.Element[FR], len(toEmulated[FR](inputAssignments))), - Output: make([][]emulated.Element[FR], len(toEmulated[FR](output))), - SerializedProof: make([]emulated.Element[FR], len(proofEmulated)), - ToFail: false, - } - - err = test.IsSolved(validCircuit, assignmentGkr, current) - assert.NoError(t, err) - - _, err = frontend.Compile(ecc.BN254.ScalarField(), scs.NewBuilder, validCircuit) - assert.NoError(t, err) - - - //t.Run("testSingleAddGate", generateVerifier(toEmulated(inputAssignments), toEmulated(output), proofEmulated)) - - // err = Verify(c, assignment, proof, fiatshamir.WithHash(utils.NewMessageCounter(1, 1))) - // assert.NoError(t, err, "proof rejected") - - // err = Verify(c, assignment, proof, fiatshamir.WithHash(utils.NewMessageCounter(0, 1))) - // assert.NotNil(t, err, "bad proof accepted") -} - -// func TestMulGate1Sumcheck(t *testing.T) { -// testMulGate1SumcheckInstance[emparams.BN254Fr](t, ecc.BN254.ScalarField(), [][]int{{4, 3}, {2, 3}}) -// testMulGate1SumcheckInstance[emparams.BN254Fr](t, ecc.BN254.ScalarField(), [][]int{{1, 2, 3, 4}, {5, 6, 7, 8}}) -// testMulGate1SumcheckInstance[emparams.BN254Fr](t, ecc.BN254.ScalarField(), [][]int{{1, 2, 3, 4, 5, 6, 7, 8}, {11, 12, 13, 14, 15, 16, 17, 18}}) -// inputs := [][]int{{1}, {2}} -// for i := 1; i < (1 << 10); i++ { -// inputs[0] = append(inputs[0], inputs[0][i-1]+1) -// inputs[1] = append(inputs[1], inputs[1][i-1]+2) -// } -// testMulGate1SumcheckInstance[emparams.BN254Fr](t, ecc.BN254.ScalarField(), inputs) -// } - -// func testSingleMulGate(t *testing.T, inputAssignments ...[]fr.Element) { - -// c := make(Circuit, 3) -// c[2] = Wire{ -// Gate: Gates["mul"], -// Inputs: []*Wire{&c[0], &c[1]}, -// } - -// assignment := WireAssignment{&c[0]: inputAssignments[0], &c[1]: inputAssignments[1]}.Complete(c) - -// proof, err := Prove(c, assignment, fiatshamir.WithHash(utils.NewMessageCounter(1, 1))) -// assert.NoError(t, err) - -// err = Verify(c, assignment, proof, fiatshamir.WithHash(utils.NewMessageCounter(1, 1))) -// assert.NoError(t, err, "proof rejected") - -// err = Verify(c, assignment, proof, fiatshamir.WithHash(utils.NewMessageCounter(0, 1))) -// assert.NotNil(t, err, "bad proof accepted") -// } - -// func testSingleInputTwoIdentityGates(t *testing.T, inputAssignments ...[]fr.Element) { -// c := make(Circuit, 3) - -// c[1] = Wire{ -// Gate: IdentityGate{}, -// Inputs: []*Wire{&c[0]}, -// } - -// c[2] = Wire{ -// Gate: IdentityGate{}, -// Inputs: []*Wire{&c[0]}, -// } - -// assignment := WireAssignment{&c[0]: inputAssignments[0]}.Complete(c) - -// proof, err := Prove(c, assignment, fiatshamir.WithHash(utils.NewMessageCounter(0, 1))) -// assert.NoError(t, err) - -// err = Verify(c, assignment, proof, fiatshamir.WithHash(utils.NewMessageCounter(0, 1))) -// assert.NoError(t, err, "proof rejected") - -// err = Verify(c, assignment, proof, fiatshamir.WithHash(utils.NewMessageCounter(1, 1))) -// assert.NotNil(t, err, "bad proof accepted") -// } - -// func testSingleMimcCipherGate(t *testing.T, inputAssignments ...[]fr.Element) { -// c := make(Circuit, 3) - -// c[2] = Wire{ -// Gate: mimcCipherGate{}, -// Inputs: []*Wire{&c[0], &c[1]}, -// } - -// t.Log("Evaluating all circuit wires") -// assignment := WireAssignment{&c[0]: inputAssignments[0], &c[1]: inputAssignments[1]}.Complete(c) -// t.Log("Circuit evaluation complete") -// proof, err := Prove(c, assignment, fiatshamir.WithHash(utils.NewMessageCounter(0, 1))) -// assert.NoError(t, err) -// t.Log("Proof complete") -// err = Verify(c, assignment, proof, fiatshamir.WithHash(utils.NewMessageCounter(0, 1))) -// assert.NoError(t, err, "proof rejected") - -// t.Log("Successful verification complete") -// err = Verify(c, assignment, proof, fiatshamir.WithHash(utils.NewMessageCounter(1, 1))) -// assert.NotNil(t, err, "bad proof accepted") -// t.Log("Unsuccessful verification complete") -// } - -// func testSingleInputTwoIdentityGatesComposed(t *testing.T, inputAssignments ...[]fr.Element) { -// c := make(Circuit, 3) - -// c[1] = Wire{ -// Gate: IdentityGate{}, -// Inputs: []*Wire{&c[0]}, -// } -// c[2] = Wire{ -// Gate: IdentityGate{}, -// Inputs: []*Wire{&c[1]}, -// } - -// assignment := WireAssignment{&c[0]: inputAssignments[0]}.Complete(c) - -// proof, err := Prove(c, assignment, fiatshamir.WithHash(utils.NewMessageCounter(0, 1))) -// assert.NoError(t, err) - -// err = Verify(c, assignment, proof, fiatshamir.WithHash(utils.NewMessageCounter(0, 1))) -// assert.NoError(t, err, "proof rejected") - -// err = Verify(c, assignment, proof, fiatshamir.WithHash(utils.NewMessageCounter(1, 1))) -// assert.NotNil(t, err, "bad proof accepted") -// } - -// func mimcCircuit(numRounds int) Circuit { -// c := make(Circuit, numRounds+2) - -// for i := 2; i < len(c); i++ { -// c[i] = Wire{ -// Gate: mimcCipherGate{}, -// Inputs: []*Wire{&c[i-1], &c[0]}, -// } -// } -// return c -// } - -// func testMimc(t *testing.T, numRounds int, inputAssignments ...[]fr.Element) { -// // TODO: Implement mimc correctly. Currently, the computation is mimc(a,b) = cipher( cipher( ... cipher(a, b), b) ..., b) -// // @AlexandreBelling: Please explain the extra layers in https://github.com/ConsenSys/gkr-mimc/blob/81eada039ab4ed403b7726b535adb63026e8011f/examples/mimc.go#L10 - -// c := mimcCircuit(numRounds) - -// t.Log("Evaluating all circuit wires") -// assignment := WireAssignment{&c[0]: inputAssignments[0], &c[1]: inputAssignments[1]}.Complete(c) -// t.Log("Circuit evaluation complete") - -// proof, err := Prove(c, assignment, fiatshamir.WithHash(utils.NewMessageCounter(0, 1))) -// assert.NoError(t, err) - -// t.Log("Proof finished") -// err = Verify(c, assignment, proof, fiatshamir.WithHash(utils.NewMessageCounter(0, 1))) -// assert.NoError(t, err, "proof rejected") - -// t.Log("Successful verification finished") -// err = Verify(c, assignment, proof, fiatshamir.WithHash(utils.NewMessageCounter(1, 1))) -// assert.NotNil(t, err, "bad proof accepted") -// t.Log("Unsuccessful verification finished") -// } - -// func testATimesBSquared(t *testing.T, numRounds int, inputAssignments ...[]fr.Element) { -// // This imitates the MiMC circuit - -// c := make(Circuit, numRounds+2) - -// for i := 2; i < len(c); i++ { -// c[i] = Wire{ -// Gate: Gates["mul"], -// Inputs: []*Wire{&c[i-1], &c[0]}, -// } -// } - -// assignment := WireAssignment{&c[0]: inputAssignments[0], &c[1]: inputAssignments[1]}.Complete(c) - -// proof, err := Prove(c, assignment, fiatshamir.WithHash(utils.NewMessageCounter(0, 1))) -// assert.NoError(t, err) - -// err = Verify(c, assignment, proof, fiatshamir.WithHash(utils.NewMessageCounter(0, 1))) -// assert.NoError(t, err, "proof rejected") - -// err = Verify(c, assignment, proof, fiatshamir.WithHash(utils.NewMessageCounter(1, 1))) -// assert.NotNil(t, err, "bad proof accepted") -// } - -// func setRandom(slice []fr.Element) { -// for i := range slice { -// slice[i].SetRandom() -// } -// } func TestGkrVectorsEmulated(t *testing.T) { current := ecc.BN254.ScalarField() var fr emparams.BN254Fp @@ -466,61 +41,12 @@ func TestGkrVectorsEmulated(t *testing.T) { path := filepath.Join(testDirPath, dirEntry.Name()) noExt := dirEntry.Name()[:len(dirEntry.Name())-len(".json")] - t.Run(noExt, generateTestProver(path, *current, *fr.Modulus())) - t.Run(noExt, generateTestVerifier[emparams.BN254Fp](path)) + t.Run(noExt+"_prover", generateTestProver(path, *current, *fr.Modulus())) + t.Run(noExt+"_verifier", generateTestVerifier[emparams.BN254Fp](path)) } } } -type _options struct { - noSuccess bool - noFail bool -} - -type option func(*_options) - -func noSuccess(o *_options) { - o.noSuccess = true -} - -func generateVerifier[FR emulated.FieldParams](Input [][]emulated.Element[FR], Output [][]emulated.Element[FR], Proof Proofs[FR]) func(t *testing.T) { - - return func(t *testing.T) { - - assert := test.NewAssert(t) - - assignment := &GkrVerifierCircuitEmulated[FR]{ - Input: Input, - Output: Output, - SerializedProof: Proof.Serialize(), - ToFail: false, - } - - validCircuit := &GkrVerifierCircuitEmulated[FR]{ - Input: make([][]emulated.Element[FR], len(Input)), - Output: make([][]emulated.Element[FR], len(Output)), - SerializedProof: make([]emulated.Element[FR], len(assignment.SerializedProof)), - ToFail: false, - } - - invalidCircuit := &GkrVerifierCircuitEmulated[FR]{ - Input: make([][]emulated.Element[FR], len(Input)), - Output: make([][]emulated.Element[FR], len(Output)), - SerializedProof: make([]emulated.Element[FR], len(assignment.SerializedProof)), - ToFail: true, - } - - fillWithBlanks(validCircuit.Input, len(Input[0])) - fillWithBlanks(validCircuit.Output, len(Input[0])) - fillWithBlanks(invalidCircuit.Input, len(Input[0])) - fillWithBlanks(invalidCircuit.Output, len(Input[0])) - - assert.CheckCircuit(validCircuit, test.WithCurves(ecc.BN254), test.WithBackends(backend.GROTH16), test.WithValidAssignment(assignment)) - //test.IsSolved(validCircuit, test.WithCurves(ecc.BN254), test.WithBackends(backend.GROTH16), test.WithValidAssignment(assignment)) - // assert.CheckCircuit(invalidCircuit, test.WithCurves(ecc.BN254), test.WithBackends(backend.GROTH16), test.WithInvalidAssignment(assignment)) - } -} - func proofEquals(expected NativeProofs, seen NativeProofs) error { if len(expected) != len(seen) { return fmt.Errorf("length mismatch %d ≠ %d", len(expected), len(seen)) @@ -574,11 +100,7 @@ func generateTestProver(path string, current big.Int, target big.Int) func(t *te } } -func generateTestVerifier[FR emulated.FieldParams](path string, options ...option) func(t *testing.T) { - var opts _options - for _, opt := range options { - opt(&opts) - } +func generateTestVerifier[FR emulated.FieldParams](path string) func(t *testing.T) { return func(t *testing.T) { @@ -602,26 +124,10 @@ func generateTestVerifier[FR emulated.FieldParams](path string, options ...optio TestCaseName: path, } - invalidCircuit := &GkrVerifierCircuitEmulated[FR]{ - Input: make([][]emulated.Element[FR], len(testCase.Input)), - Output: make([][]emulated.Element[FR], len(testCase.Output)), - SerializedProof: make([]emulated.Element[FR], len(assignment.SerializedProof)), - ToFail: true, - TestCaseName: path, - } - fillWithBlanks(validCircuit.Input, len(testCase.Input[0])) fillWithBlanks(validCircuit.Output, len(testCase.Input[0])) - fillWithBlanks(invalidCircuit.Input, len(testCase.Input[0])) - fillWithBlanks(invalidCircuit.Output, len(testCase.Input[0])) - if !opts.noSuccess { - assert.CheckCircuit(validCircuit, test.WithCurves(ecc.BN254), test.WithBackends(backend.GROTH16), test.WithValidAssignment(assignment)) - } - - // if !opts.noFail { - // assert.CheckCircuit(invalidCircuit, test.WithCurves(ecc.BN254), test.WithBackends(backend.GROTH16), test.WithInvalidAssignment(assignment)) - // } + assert.CheckCircuit(validCircuit, test.WithCurves(ecc.BN254), test.WithBackends(backend.GROTH16), test.WithValidAssignment(assignment)) } } @@ -644,8 +150,6 @@ func (c *GkrVerifierCircuitEmulated[FR]) Define(api frontend.API) error { return fmt.Errorf("new verifier: %w", err) } - println("c.TestCaseName", c.TestCaseName) - // var proofRef Proof if testCase, err = getTestCase[FR](c.TestCaseName); err != nil { return err } @@ -656,21 +160,13 @@ func (c *GkrVerifierCircuitEmulated[FR]) Define(api frontend.API) error { } assignment := makeInOutAssignment(testCase.Circuit, c.Input, c.Output) - // initiating hash in bitmode, remove and do it with hashdescription instead - h, err := recursion.NewHash(api, fr.Modulus(), true) + // initiating hash in bitmode + hsh, err := recursion.NewHash(api, fr.Modulus(), true) if err != nil { return err } - // var hsh hash.FieldHasher - // if c.ToFail { - // hsh = NewMessageCounter(api, 1, 1) - // } else { - // if hsh, err = HashFromDescription(api, testCase.Hash); err != nil { - // return err - // } - // } - - return v.Verify(api, testCase.Circuit, assignment, proof, fiatshamir.WithHashFr[FR](h)) + + return v.Verify(api, testCase.Circuit, assignment, proof, fiatshamir.WithHashFr[FR](hsh)) } func makeInOutAssignment[FR emulated.FieldParams](c CircuitEmulated[FR], inputValues [][]emulated.Element[FR], outputValues [][]emulated.Element[FR]) WireAssignmentEmulated[FR] { @@ -711,7 +207,6 @@ type TestCaseInfo struct { Proof PrintableProof `json:"proof"` } -// var testCases = make(map[string]*TestCase[emulated.FieldParams]) var testCases = make(map[string]interface{}) func getTestCase[FR emulated.FieldParams](path string) (*TestCaseVerifier[FR], error) { @@ -853,102 +348,48 @@ func toCircuit(c CircuitInfo) (circuit Circuit, err error) { return } -type _select[FR emulated.FieldParams] int - -// func init() { -// var GatesEmulated = map[string]GateEmulated[FR]{ -// "identity": IdentityGate[*sumcheck.EmuEngine[FR], *emulated.Element[FR]]{}, -// "add": AddGate[*sumcheck.EmuEngine[FR], *emulated.Element[FR]]{}, -// "mul": MulGate[*sumcheck.EmuEngine[FR], *emulated.Element[FR]]{}, -// } - -// GatesEmulated["select-input-3"] = _select[FR](2) -// } - -func (g _select[FR]) Evaluate(_ *sumcheck.EmuEngine[FR], in ...*emulated.Element[FR]) *emulated.Element[FR] { - return in[g] -} - -func (g _select[FR]) Degree() int { - return 1 -} - type PrintableProof []PrintableSumcheckProof type PrintableSumcheckProof struct { - FinalEvalProof interface{} `json:"finalEvalProof"` - RoundPolyEvaluations [][]interface{} `json:"roundPolyEvaluations"` + FinalEvalProof [][]uint64 `json:"finalEvalProof"` + RoundPolyEvaluations [][][]uint64 `json:"roundPolyEvaluations"` +} + +func unmarshalProof(printable []PrintableSumcheckProof) (proof NativeProofs) { + proof = make(NativeProofs, len(printable)) + + for i := range printable { + if printable[i].FinalEvalProof != nil { + finalEvalProof := make(sumcheck.NativeDeferredEvalProof, len(printable[i].FinalEvalProof)) + for k, val := range printable[i].FinalEvalProof { + var temp big.Int + temp.SetUint64(val[0]) + for _, v := range val[1:] { + temp.Lsh(&temp, 64).Add(&temp, new(big.Int).SetUint64(v)) + } + finalEvalProof[k] = temp + } + proof[i].FinalEvalProof = finalEvalProof + } else { + proof[i].FinalEvalProof = nil + } + + proof[i].RoundPolyEvaluations = make([]sumcheck.NativePolynomial, len(printable[i].RoundPolyEvaluations)) + for k, evals := range printable[i].RoundPolyEvaluations { + proof[i].RoundPolyEvaluations[k] = make(sumcheck.NativePolynomial, len(evals)) + for j, eval := range evals { + var temp big.Int + temp.SetUint64(eval[0]) + for _, v := range eval[1:] { + temp.Lsh(&temp, 64).Add(&temp, new(big.Int).SetUint64(v)) + } + proof[i].RoundPolyEvaluations[k][j] = &temp + } + } + } + return proof } -func unmarshalProof(printable PrintableProof) (proof NativeProofs) { - proof = make(NativeProofs, len(printable)) - for i := range printable { - - if printable[i].FinalEvalProof != nil { - finalEvalSlice := reflect.ValueOf(printable[i].FinalEvalProof) - finalEvalProof := make(sumcheck.NativeDeferredEvalProof, finalEvalSlice.Len()) - for k := range finalEvalProof { - finalEvalSlice := finalEvalSlice.Index(k).Interface().([]interface{}) - var byteArray []byte - for _, val := range finalEvalSlice { - floatVal := val.(float64) - bits := math.Float64bits(floatVal) - bytes := make([]byte, 8) - binary.BigEndian.PutUint64(bytes, bits) - byteArray = append(byteArray, bytes...) - } - finalEvalProof[k] = *big.NewInt(0).SetBytes(byteArray) - } - proof[i].FinalEvalProof = finalEvalProof - } else { - proof[i].FinalEvalProof = nil - } - - proof[i].RoundPolyEvaluations = make([]sumcheck.NativePolynomial, len(printable[i].RoundPolyEvaluations)) - for k := range printable[i].RoundPolyEvaluations { - evals := printable[i].RoundPolyEvaluations[k] - proof[i].RoundPolyEvaluations[k] = make(sumcheck.NativePolynomial, len(evals)) - for j, eval := range evals { - evalSlice := reflect.ValueOf(eval).Interface().([]interface{}) - var byteArray []byte - for _, val := range evalSlice { - floatVal := val.(float64) - bits := math.Float64bits(floatVal) - bytes := make([]byte, 8) - binary.BigEndian.PutUint64(bytes, bits) - byteArray = append(byteArray, bytes...) - } - proof[i].RoundPolyEvaluations[k][j] = big.NewInt(0).SetBytes(byteArray) - } - } - - } - return -} - -// func unmarshalProofEmulated[FR emulated.FieldParams](printable PrintableProof) (proof Proofs[FR]) { -// proof = make(Proofs[FR], len(printable)) -// for i := range printable { - -// if printable[i].FinalEvalProof != nil { -// finalEvalSlice := reflect.ValueOf(printable[i].FinalEvalProof) -// finalEvalProof := make(sumcheck.DeferredEvalProof[FR], finalEvalSlice.Len()) -// for k := range finalEvalProof { -// finalEvalProof[k] = utils.ToVariableFr[FR](finalEvalSlice.Index(k).Interface()) -// } -// proof[i].FinalEvalProof = finalEvalProof -// } else { -// proof[i].FinalEvalProof = nil -// } - -// proof[i].RoundPolyEvaluations = make([]polynomial.Univariate[FR], len(printable[i].RoundPolyEvaluations)) -// for k := range printable[i].RoundPolyEvaluations { -// proof[i].RoundPolyEvaluations[k] = utils.ToVariableSliceFr[FR](printable[i].RoundPolyEvaluations[k]) -// } -// } -// return -// } - func TestLogNbInstances(t *testing.T) { type FR = emulated.BN254Fp testLogNbInstances := func(path string) func(t *testing.T) { @@ -1030,97 +471,77 @@ func TestTopSortWide(t *testing.T) { assert.Equal(t, sortedExpected, sorted) } -// type constHashCircuit struct { -// X frontend.Variable -// } - -// func (c *constHashCircuit) Define(api frontend.API) error { -// hsh := utils.NewMessageCounter(api, 0, 0) -// hsh.Reset() -// hsh.Write(c.X) -// sum := hsh.Sum() -// api.AssertIsEqual(sum, 0) -// api.AssertIsEqual(api.Mul(c.X, c.X), 1) // ensure we have at least 2 constraints -// return nil -// } - -// func TestConstHash(t *testing.T) { -// test.NewAssert(t).CheckCircuit( -// &constHashCircuit{}, - -// test.WithValidAssignment(&constHashCircuit{X: 1}), -// ) -// } - -// var mimcSnarkTotalCalls = 0 - -// type MiMCCipherGate struct { -// Ark frontend.Variable -// } - -// func (m MiMCCipherGate) Evaluate(api frontend.API, input ...frontend.Variable) frontend.Variable { -// mimcSnarkTotalCalls++ - -// if len(input) != 2 { -// panic("mimc has fan-in 2") -// } -// sum := api.Add(input[0], input[1], m.Ark) - -// sumCubed := api.Mul(sum, sum, sum) // sum^3 -// return api.Mul(sumCubed, sumCubed, sum) -// } - -// func (m MiMCCipherGate) Degree() int { -// return 7 -// } - -// type PrintableProof []PrintableSumcheckProof - -// type PrintableSumcheckProof struct { -// FinalEvalProof interface{} `json:"finalEvalProof"` -// PartialSumPolys [][]interface{} `json:"partialSumPolys"` -// } - -// func unmarshalProof(printable PrintableProof) (Proof, error) { -// proof := make(Proof, len(printable)) -// for i := range printable { -// finalEvalProof := []fr.Element(nil) - -// if printable[i].FinalEvalProof != nil { -// finalEvalSlice := reflect.ValueOf(printable[i].FinalEvalProof) -// finalEvalProof = make([]fr.Element, finalEvalSlice.Len()) -// for k := range finalEvalProof { -// if _, err := utils.SetElement(&finalEvalProof[k], finalEvalSlice.Index(k).Interface()); err != nil { -// return nil, err -// } -// } -// } - -// proof[i] = sumcheck.Proof{ -// PartialSumPolys: make([]polynomial.Polynomial, len(printable[i].PartialSumPolys)), -// FinalEvalProof: finalEvalProof, -// } -// for k := range printable[i].PartialSumPolys { -// var err error -// if proof[i].PartialSumPolys[k], err = utils.SliceToElementSlice(printable[i].PartialSumPolys[k]); err != nil { -// return nil, err -// } -// } -// } -// return proof, nil -// } +var mimcSnarkTotalCalls = 0 + +//todo add ark +type MiMCCipherGate struct { +} + +func (m MiMCCipherGate) Evaluate(api *sumcheck.BigIntEngine, input ...*big.Int) *big.Int { + mimcSnarkTotalCalls++ + + if len(input) != 2 { + panic("mimc has fan-in 2") + } + sum := api.Add(input[0], input[1]) + sumSquared := api.Mul(sum, sum) + sumCubed := api.Mul(sumSquared, sum) + return api.Mul(sumCubed, sum) +} + +func (m MiMCCipherGate) Degree() int { + return 7 +} + +type _select int + +func init() { + Gates["mimc"] = MiMCCipherGate{} + Gates["select-input-3"] = _select(2) +} + +func (g _select) Evaluate(_ *sumcheck.BigIntEngine, in ...*big.Int) *big.Int { + return in[g] +} + +func (g _select) Degree() int { + return 1 +} type TestCase struct { Current big.Int Target big.Int Circuit Circuit - Hash gohash.Hash //utils.HashDescription + Hash gohash.Hash Proof NativeProofs FullAssignment WireAssignment InOutAssignment WireAssignment } -// var testCases = make(map[string]*TestCase) +func (p *PrintableSumcheckProof) UnmarshalJSON(data []byte) error { + var temp struct { + FinalEvalProof [][]uint64 `json:"finalEvalProof"` + RoundPolyEvaluations [][][]uint64 `json:"roundPolyEvaluations"` + } + + if err := json.Unmarshal(data, &temp); err != nil { + return err + } + + p.FinalEvalProof = temp.FinalEvalProof + + p.RoundPolyEvaluations = make([][][]uint64, len(temp.RoundPolyEvaluations)) + for i, arr2D := range temp.RoundPolyEvaluations { + p.RoundPolyEvaluations[i] = make([][]uint64, len(arr2D)) + for j, arr1D := range arr2D { + p.RoundPolyEvaluations[i][j] = make([]uint64, len(arr1D)) + for k, v := range arr1D { + p.RoundPolyEvaluations[i][j][k] = uint64(v) + } + } + } + return nil +} func newTestCase(path string, target big.Int) (*TestCase, error) { path, err := filepath.Abs(path) @@ -1133,7 +554,7 @@ func newTestCase(path string, target big.Int) (*TestCase, error) { if !ok { var bytes []byte if bytes, err = os.ReadFile(path); err == nil { - var info TestCaseInfo + var info TestCaseInfo err = json.Unmarshal(bytes, &info) if err != nil { return nil, err diff --git a/std/recursion/gkr/test_vectors/resources/single_input_two_identity_gates_two_instances.json b/std/recursion/gkr/test_vectors/resources/single_input_two_identity_gates_two_instances.json deleted file mode 100644 index a995f7197a..0000000000 --- a/std/recursion/gkr/test_vectors/resources/single_input_two_identity_gates_two_instances.json +++ /dev/null @@ -1,56 +0,0 @@ -{ - "hash": { - "type": "const", - "val": -1 - }, - "circuit": "resources/single_input_two_identity_gates.json", - "input": [ - [ - 2, - 3 - ] - ], - "output": [ - [ - 2, - 3 - ], - [ - 2, - 3 - ] - ], - "proof": [ - { - "finalEvalProof": [], - "roundPolyEvaluations": [ - [ - 0, - 0 - ] - ] - }, - { - "finalEvalProof": [ - 1 - ], - "roundPolyEvaluations": [ - [ - -3, - -16 - ] - ] - }, - { - "finalEvalProof": [ - 1 - ], - "roundPolyEvaluations": [ - [ - -3, - -16 - ] - ] - } - ] -} \ No newline at end of file diff --git a/std/recursion/gkr/test_vectors/resources/single_input_two_outs_two_instances.json b/std/recursion/gkr/test_vectors/resources/single_input_two_outs_two_instances.json deleted file mode 100644 index 6dace72193..0000000000 --- a/std/recursion/gkr/test_vectors/resources/single_input_two_outs_two_instances.json +++ /dev/null @@ -1,57 +0,0 @@ -{ - "hash": { - "type": "const", - "val": -1 - }, - "circuit": "resources/single_input_two_outs.json", - "input": [ - [ - 1, - 2 - ] - ], - "output": [ - [ - 1, - 4 - ], - [ - 1, - 2 - ] - ], - "proof": [ - { - "finalEvalProof": [], - "roundPolyEvaluations": [ - [ - 0, - 0 - ] - ] - }, - { - "finalEvalProof": [ - 0 - ], - "roundPolyEvaluations": [ - [ - -4, - -36, - -112 - ] - ] - }, - { - "finalEvalProof": [ - 0 - ], - "roundPolyEvaluations": [ - [ - -2, - -12 - ] - ] - } - ] -} \ No newline at end of file diff --git a/std/recursion/gkr/test_vectors/resources/single_mimc_gate_two_instances.json b/std/recursion/gkr/test_vectors/resources/single_mimc_gate_two_instances.json new file mode 100644 index 0000000000..a75ccccfef --- /dev/null +++ b/std/recursion/gkr/test_vectors/resources/single_mimc_gate_two_instances.json @@ -0,0 +1,89 @@ +{ + "hash": { + "type": "const", + "val": -1 + }, + "circuit": "resources/single_mimc_gate.json", + "input": [ + [ + 1, + 1 + ], + [ + 1, + 2 + ] + ], + "output": [ + [ + 128, + 2187 + ] + ], + "proof": [ + { + "finalEvalProof": [], + "roundPolyEvaluations": [ + [ + [ + 2241063740747277757, + 6741806107110303462, + 10584378630379443447, + 11431840297086248935 + ], + [ + 1284308761996894303, + 17461779615671711157, + 12779565606756425632, + 11770813148743782171 + ] + ] + ] + }, + { + "finalEvalProof": [], + "roundPolyEvaluations": [ + [ + [ + 2241063740747277757, + 6741806107110303462, + 10584378630379443447, + 11431840297086248935 + ], + [ + 1284308761996894303, + 17461779615671711157, + 12779565606756425632, + 11770813148743782171 + ] + ] + ] + }, + { + "finalEvalProof": [ + [ + 3445061460418080392, + 1582772968760438233, + 15430626802533927355, + 10677110232782539588 + ] + ], + "roundPolyEvaluations": [ + [ + [ + 2241063740747277757, + 6741806107110303462, + 10584378630379443447, + 11431840297086248935 + ], + [ + 1284308761996894303, + 17461779615671711157, + 12779565606756425632, + 11770813148743782171 + ] + ] + ] + } + ] +} \ No newline at end of file diff --git a/std/recursion/gkr/test_vectors/resources/single_mul_gate_two_instances.json b/std/recursion/gkr/test_vectors/resources/single_mul_gate_two_instances.json deleted file mode 100644 index ba854e37f5..0000000000 --- a/std/recursion/gkr/test_vectors/resources/single_mul_gate_two_instances.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "hash": { - "type": "const", - "val": -1 - }, - "circuit": "resources/single_mul_gate.json", - "input": [ - [ - 4, - 3 - ], - [ - 2, - 3 - ] - ], - "output": [ - [ - 8, - 9 - ] - ], - "proof": [ - { - "finalEvalProof": [], - "roundPolyEvaluations": [] - }, - { - "finalEvalProof": [], - "roundPolyEvaluations": [] - }, - { - "finalEvalProof": [ - 5, - 1 - ], - "roundPolyEvaluations": [ - [ - -9, - -32, - -35 - ] - ] - } - ] -} \ No newline at end of file diff --git a/std/recursion/gkr/test_vectors/resources/two_identity_gates_composed_single_input_two_instances.json b/std/recursion/gkr/test_vectors/resources/two_identity_gates_composed_single_input_two_instances.json deleted file mode 100644 index e145c7d18d..0000000000 --- a/std/recursion/gkr/test_vectors/resources/two_identity_gates_composed_single_input_two_instances.json +++ /dev/null @@ -1,47 +0,0 @@ -{ - "hash": { - "type": "const", - "val": -1 - }, - "circuit": "resources/two_identity_gates_composed_single_input.json", - "input": [ - [ - 2, - 1 - ] - ], - "output": [ - [ - 2, - 1 - ] - ], - "proof": [ - { - "finalEvalProof": [], - "roundPolyEvaluations": [] - }, - { - "finalEvalProof": [ - 3 - ], - "roundPolyEvaluations": [ - [ - -1, - 0 - ] - ] - }, - { - "finalEvalProof": [ - 3 - ], - "roundPolyEvaluations": [ - [ - -1, - 0 - ] - ] - } - ] -} \ No newline at end of file diff --git a/std/recursion/gkr/test_vectors/resources/two_inputs_select-input-3_gate_two_instances.json b/std/recursion/gkr/test_vectors/resources/two_inputs_select-input-3_gate_two_instances.json new file mode 100644 index 0000000000..05a2a421e4 --- /dev/null +++ b/std/recursion/gkr/test_vectors/resources/two_inputs_select-input-3_gate_two_instances.json @@ -0,0 +1,65 @@ +{ + "hash": { + "type": "const", + "val": -1 + }, + "circuit": "resources/two_inputs_select-input-3_gate.json", + "input": [ + [ + 0, + 1 + ], + [ + 2, + 3 + ] + ], + "output": [ + [ + 2, + 3 + ] + ], + "proof": [ + { + "finalEvalProof": [], + "roundPolyEvaluations": [] + }, + { + "finalEvalProof": [], + "roundPolyEvaluations": [] + }, + { + "finalEvalProof": [ + [ + 34793283102800716, + 14623004755582362860, + 7566020917664053271, + 804411355194692424 + ], + [ + 34793283102800716, + 14623004755582362860, + 7566020917664053271, + 804411355194692426 + ] + ], + "roundPolyEvaluations": [ + [ + [ + 202884085477257258, + 10103834348047568829, + 18355757093406830428, + 3239398344287232773 + ], + [ + 811536341909029034, + 3521849244771172087, + 18082796152498666864, + 12957593377148931088 + ] + ] + ] + } + ] +} \ No newline at end of file diff --git a/std/recursion/gkr/test_vectors/single_identity_gate_two_instances.json b/std/recursion/gkr/test_vectors/single_identity_gate_two_instances.json index 18d1f44c39..420584f6fa 100644 --- a/std/recursion/gkr/test_vectors/single_identity_gate_two_instances.json +++ b/std/recursion/gkr/test_vectors/single_identity_gate_two_instances.json @@ -23,26 +23,26 @@ }, { "finalEvalProof": [ - [ - 2.1129583785431688e-78, - 7.380245878097748e-203, - -9.448716071046593e+106, - -1.7059667400226023e-211 + [ + 3445061460418080392, + 1582772968760438233, + 15430626802533927355, + 10677110232782539588 ] ], "roundPolyEvaluations": [ [ - [ - 4.107435820551428e-295, - -8.39085766387766e-250, - -3.0805133636173705e+302, - 3.9607963698746494e-92 + [ + 202884085477257258, + 10103834348047568829, + 18355757093406830428, + 3239398344287232773 ], [ - 1.51309699491893e-281, - 5.632421638135887e-191, - -2.6056281893145424e+296, - 1.338485906067006e+125 + 405768170954514517, + 1760924622385586043, + 18264770113104109240, + 6478796688574465544 ] ] ] diff --git a/std/recursion/gkr/test_vectors/single_input_two_identity_gates_two_instances.json b/std/recursion/gkr/test_vectors/single_input_two_identity_gates_two_instances.json new file mode 100644 index 0000000000..1cf156c016 --- /dev/null +++ b/std/recursion/gkr/test_vectors/single_input_two_identity_gates_two_instances.json @@ -0,0 +1,96 @@ +{ + "hash": { + "type": "const", + "val": -1 + }, + "circuit": "resources/single_input_two_identity_gates.json", + "input": [ + [ + 2, + 3 + ] + ], + "output": [ + [ + 2, + 3 + ], + [ + 2, + 3 + ] + ], + "proof": [ + { + "finalEvalProof": [], + "roundPolyEvaluations": [ + [ + [ + 1309801114600745759, + 3758563846819454073, + 10262009230221415359, + 16005847429194593330 + ], + [ + 1641562985788773784, + 10408495378109679862, + 1607731544356410364, + 2789460758528902269 + ] + ] + ] + }, + { + "finalEvalProof": [ + [ + 34793283102800716, + 14623004755582362860, + 7566020917664053271, + 804411355194692426 + ] + ], + "roundPolyEvaluations": [ + [ + [ + 202884085477257258, + 10103834348047568829, + 18355757093406830428, + 3239398344287232773 + ], + [ + 811536341909029034, + 3521849244771172087, + 18082796152498666864, + 12957593377148931088 + ] + ] + ] + }, + { + "finalEvalProof": [ + [ + 34793283102800716, + 14623004755582362860, + 7566020917664053271, + 804411355194692426 + ] + ], + "roundPolyEvaluations": [ + [ + [ + 202884085477257258, + 10103834348047568829, + 18355757093406830428, + 3239398344287232773 + ], + [ + 811536341909029034, + 3521849244771172087, + 18082796152498666864, + 12957593377148931088 + ] + ] + ] + } + ] +} \ No newline at end of file diff --git a/std/recursion/gkr/test_vectors/single_input_two_outs_two_instances.json b/std/recursion/gkr/test_vectors/single_input_two_outs_two_instances.json new file mode 100644 index 0000000000..9f9bb7b4e4 --- /dev/null +++ b/std/recursion/gkr/test_vectors/single_input_two_outs_two_instances.json @@ -0,0 +1,102 @@ +{ + "hash": { + "type": "const", + "val": -1 + }, + "circuit": "resources/single_input_two_outs.json", + "input": [ + [ + 1, + 2 + ] + ], + "output": [ + [ + 1, + 4 + ], + [ + 1, + 2 + ] + ], + "proof": [ + { + "finalEvalProof": [], + "roundPolyEvaluations": [ + [ + [ + 2241063740747277757, + 6741806107110303462, + 10584378630379443447, + 11431840297086248935 + ], + [ + 1284308761996894303, + 17461779615671711157, + 12779565606756425632, + 11770813148743782171 + ] + ] + ] + }, + { + "finalEvalProof": [ + [ + 11552014468118848, + 6459316162880666778, + 5573794085540653091, + 12018926454163338051 + ] + ], + "roundPolyEvaluations": [ + [ + [ + 270512113969676344, + 13471779130730091773, + 6027598717499555621, + 10468112483619494236 + ], + [ + 1825956769295315326, + 17147532837589913005, + 17627861250985060925, + 10707841024875543332 + ], + [ + 1923244012590556228, + 16346717705102969708, + 17401129836965471330, + 2115447990305160649 + ] + ] + ] + }, + { + "finalEvalProof": [ + [ + 38772122160298693, + 2654177376158557373, + 666365361690475594, + 9065178994946100760 + ] + ], + "roundPolyEvaluations": [ + [ + [ + 135256056984838172, + 6735889565365045886, + 12237171395604553618, + 14457428278664522926 + ], + [ + 608652256431771775, + 11864758970433154873, + 18173783132801388052, + 9718195032861698316 + ] + ] + ] + } + ] +} \ No newline at end of file diff --git a/std/recursion/gkr/test_vectors/single_mul_gate_two_instances.json b/std/recursion/gkr/test_vectors/single_mul_gate_two_instances.json new file mode 100644 index 0000000000..128b57f3e1 --- /dev/null +++ b/std/recursion/gkr/test_vectors/single_mul_gate_two_instances.json @@ -0,0 +1,71 @@ +{ + "hash": { + "type": "const", + "val": -1 + }, + "circuit": "resources/single_mul_gate.json", + "input": [ + [ + 4, + 3 + ], + [ + 2, + 3 + ] + ], + "output": [ + [ + 8, + 9 + ] + ], + "proof": [ + { + "finalEvalProof": [], + "roundPolyEvaluations": [] + }, + { + "finalEvalProof": [], + "roundPolyEvaluations": [] + }, + { + "finalEvalProof": [ + [ + 3474249952014841962, + 12028090948092229382, + 15144988130097378949, + 4865233403516270609 + ], + [ + 12748314788128703, + 1253101003182465366, + 14218880088090055687, + 17914127541472937276 + ] + ], + "roundPolyEvaluations": [ + [ + [ + 608652256431771775, + 11864758970433154873, + 18173783132801388052, + 9718195032861698319 + ], + [ + 1623072683818058068, + 7043698489542344175, + 17718848231287782113, + 7468442680588310560 + ], + [ + 1690700712310477154, + 10411643272224867119, + 5390689855380507306, + 14697156819920572021 + ] + ] + ] + } + ] +} \ No newline at end of file diff --git a/std/recursion/gkr/test_vectors/two_identity_gates_composed_single_input_two_instances.json b/std/recursion/gkr/test_vectors/two_identity_gates_composed_single_input_two_instances.json new file mode 100644 index 0000000000..376025e4e9 --- /dev/null +++ b/std/recursion/gkr/test_vectors/two_identity_gates_composed_single_input_two_instances.json @@ -0,0 +1,77 @@ +{ + "hash": { + "type": "const", + "val": -1 + }, + "circuit": "resources/two_identity_gates_composed_single_input.json", + "input": [ + [ + 2, + 1 + ] + ], + "output": [ + [ + 2, + 1 + ] + ], + "proof": [ + { + "finalEvalProof": [], + "roundPolyEvaluations": [] + }, + { + "finalEvalProof": [ + [ + 3479106886554451955, + 541048341316977072, + 10578437981560588015, + 16173759560562137918 + ] + ], + "roundPolyEvaluations": [ + [ + [ + 21302570947489481, + 677004288128798096, + 11618204988248521184, + 10639673014910314290 + ], + [ + 0, + 0, + 0, + 0 + ] + ] + ] + }, + { + "finalEvalProof": [ + [ + 3465695695855481184, + 12604187663145896652, + 17745663229938913452, + 12139687930078893591 + ] + ], + "roundPolyEvaluations": [ + [ + [ + 67628028492419086, + 3367944782682522943, + 6118585697802276809, + 7228714139332261463 + ], + [ + 0, + 0, + 0, + 0 + ] + ] + ] + } + ] +} \ No newline at end of file diff --git a/std/recursion/gkr/utils/util.go b/std/recursion/gkr/utils/util.go index 542106240d..b4c2f75624 100644 --- a/std/recursion/gkr/utils/util.go +++ b/std/recursion/gkr/utils/util.go @@ -4,9 +4,10 @@ import ( "fmt" "math/big" "testing" + gohash "hash" - "hash" - + "github.com/consensys/gnark/frontend" + "github.com/consensys/gnark/std/hash" "github.com/consensys/gnark/std/math/emulated" "github.com/stretchr/testify/assert" ) @@ -88,64 +89,9 @@ func SliceEqual[T comparable](expected, seen []T) bool { return true } -// type HashDescription map[string]interface{} - -// func HashFromDescription(api frontend.API, d HashDescription) (hash.FieldHasher, error) { -// if _type, ok := d["type"]; ok { -// switch _type { -// case "const": -// startState := int64(d["val"].(float64)) -// return &MessageCounter{startState: startState, step: 0, state: startState, api: api}, nil -// default: -// return nil, fmt.Errorf("unknown fake hash type \"%s\"", _type) -// } -// } -// return nil, fmt.Errorf("hash description missing type") -// } - -// type MessageCounter struct { -// startState int64 -// state int64 -// step int64 - -// // cheap trick to avoid unconstrained input errors -// api frontend.API -// zero frontend.Variable -// } - -// func (m *MessageCounter) Write(data ...frontend.Variable) { - -// for i := range data { -// sq1, sq2 := m.api.Mul(data[i], data[i]), m.api.Mul(data[i], data[i]) -// m.zero = m.api.Sub(sq1, sq2, m.zero) -// } - -// m.state += int64(len(data)) * m.step -// } - -// func (m *MessageCounter) Sum() frontend.Variable { -// return m.api.Add(m.state, m.zero) -// } - -// func (m *MessageCounter) Reset() { -// m.zero = 0 -// m.state = m.startState -// } - -// func NewMessageCounter(api frontend.API, startState, step int) hash.FieldHasher { -// transcript := &MessageCounter{startState: int64(startState), state: int64(startState), step: int64(step), api: api} -// return transcript -// } - -// func NewMessageCounterGenerator(startState, step int) func(frontend.API) hash.FieldHasher { -// return func(api frontend.API) hash.FieldHasher { -// return NewMessageCounter(api, startState, step) -// } -// } - type HashDescription map[string]interface{} -func HashFromDescription(d HashDescription) (hash.Hash, error) { +func HashFromDescription(d HashDescription) (gohash.Hash, error) { if _type, ok := d["type"]; ok { switch _type { case "const": @@ -195,69 +141,53 @@ func (m *MessageCounter) BlockSize() int { return len(temp.Bytes()) } -func NewMessageCounter(startState, step int) hash.Hash { +func NewMessageCounter(startState, step int) gohash.Hash { transcript := &MessageCounter{startState: int64(startState), state: int64(startState), step: int64(step)} return transcript } -func NewMessageCounterGenerator(startState, step int) func() hash.Hash { - return func() hash.Hash { +func NewMessageCounterGenerator(startState, step int) func() gohash.Hash { + return func() gohash.Hash { return NewMessageCounter(startState, step) } } -// type HashDescriptionEmulated map[string]interface{} - -// func HashFromDescriptionEmulated(api frontend.API, d HashDescriptionEmulated) (hash.FieldHasher, error) { -// if _type, ok := d["type"]; ok { -// switch _type { -// case "const": -// startState := int64(d["val"].(float64)) -// return &MessageCounter{startState: startState, step: 0, state: startState, api: api}, nil -// default: -// return nil, fmt.Errorf("unknown fake hash type \"%s\"", _type) -// } -// } -// return nil, fmt.Errorf("hash description missing type") -// } - -// type MessageCounterEmulated struct { -// startState int64 -// state int64 -// step int64 - +type MessageCounterEmulated struct { + startState int64 + state int64 + step int64 -// // cheap trick to avoid unconstrained input errors -// api frontend.API -// zero frontend.Variable -// } + // cheap trick to avoid unconstrained input errors + api frontend.API + zero frontend.Variable +} -// func (m *MessageCounterEmulated) Write(data ...frontend.Variable) { +func (m *MessageCounterEmulated) Write(data ...frontend.Variable) { -// for i := range data { -// sq1, sq2 := m.api.Mul(data[i], data[i]), m.api.Mul(data[i], data[i]) -// m.zero = m.api.Sub(sq1, sq2, m.zero) -// } + for i := range data { + sq1, sq2 := m.api.Mul(data[i], data[i]), m.api.Mul(data[i], data[i]) + m.zero = m.api.Sub(sq1, sq2, m.zero) + } -// m.state += int64(len(data)) * m.step -// } + m.state += int64(len(data)) * m.step +} -// func (m *MessageCounterEmulated) Sum() frontend.Variable { -// return m.api.Add(m.state, m.zero) -// } +func (m *MessageCounterEmulated) Sum() frontend.Variable { + return m.api.Add(m.state, m.zero) +} -// func (m *MessageCounterEmulated) Reset() { -// m.zero = 0 -// m.state = m.startState -// } +func (m *MessageCounterEmulated) Reset() { + m.zero = 0 + m.state = m.startState +} -// func NewMessageCounterEmulated(api frontend.API, startState, step int) hash.FieldHasher { -// transcript := &MessageCounterEmulated{startState: int64(startState), state: int64(startState), step: int64(step), api: api} -// return transcript -// } +func NewMessageCounterEmulated(api frontend.API, startState, step int) hash.FieldHasher { + transcript := &MessageCounterEmulated{startState: int64(startState), state: int64(startState), step: int64(step), api: api} + return transcript +} -// func NewMessageCounterGeneratorEmulated(startState, step int) func(frontend.API) hash.FieldHasher { -// return func(api frontend.API) hash.FieldHasher { -// return NewMessageCounterEmulated(api, startState, step) -// } -// } \ No newline at end of file +func NewMessageCounterGeneratorEmulated(startState, step int) func(frontend.API) hash.FieldHasher { + return func(api frontend.API) hash.FieldHasher { + return NewMessageCounterEmulated(api, startState, step) + } +} \ No newline at end of file diff --git a/std/recursion/sumcheck/polynomial.go b/std/recursion/sumcheck/polynomial.go index 883b2be2f8..3bea58646e 100644 --- a/std/recursion/sumcheck/polynomial.go +++ b/std/recursion/sumcheck/polynomial.go @@ -10,6 +10,23 @@ type NativeMultilinear []*big.Int // helper functions for multilinear polynomial evaluations +// Clone returns a deep copy of p. +// If capacity is provided, the new coefficient slice capacity will be set accordingly. +func (p NativeMultilinear) Clone(capacity ...int) NativeMultilinear { + var newCapacity int + if len(capacity) > 0 { + newCapacity = capacity[0] + } else { + newCapacity = len(p) + } + + res := make(NativeMultilinear, len(p), newCapacity) + for i, v := range p { + res[i] = new(big.Int).Set(v) + } + return res +} + func DereferenceBigIntSlice(ptrs []*big.Int) []big.Int { vals := make([]big.Int, len(ptrs)) for i, ptr := range ptrs { diff --git a/std/recursion/sumcheck/prover.go b/std/recursion/sumcheck/prover.go index 75ca75bfac..4bcaf70ab2 100644 --- a/std/recursion/sumcheck/prover.go +++ b/std/recursion/sumcheck/prover.go @@ -61,7 +61,6 @@ func Prove(current *big.Int, target *big.Int, claims claims, opts ...proverOptio proof.RoundPolyEvaluations = make([]NativePolynomial, nbVars) // the first round in the sumcheck is without verifier challenge. Combine challenges and provers sends the first polynomial proof.RoundPolyEvaluations[0] = claims.Combine(combinationCoef) - challenges := make([]*big.Int, nbVars) // we iterate over all variables. However, we omit the last round as the @@ -81,6 +80,7 @@ func Prove(current *big.Int, target *big.Int, claims claims, opts ...proverOptio if len(challengeNames) > 0 { return proof, fmt.Errorf("excessive challenges") } + proof.FinalEvalProof = claims.ProverFinalEval(challenges) return proof, nil diff --git a/std/recursion/sumcheck/scalarmul_gates_test.go b/std/recursion/sumcheck/scalarmul_gates.go similarity index 93% rename from std/recursion/sumcheck/scalarmul_gates_test.go rename to std/recursion/sumcheck/scalarmul_gates.go index f15c9a8ec6..833e522923 100644 --- a/std/recursion/sumcheck/scalarmul_gates_test.go +++ b/std/recursion/sumcheck/scalarmul_gates.go @@ -15,7 +15,7 @@ import ( ) type projAddGate[AE ArithEngine[E], E element] struct { - folding E + Folding E } func (m projAddGate[AE, E]) NbInputs() int { return 6 } @@ -61,9 +61,9 @@ func (m projAddGate[AE, E]) Evaluate(api AE, vars ...E) E { Z3 = api.Mul(Z3, t4) Z3 = api.Add(Z3, t0) - res := api.Mul(m.folding, Z3) + res := api.Mul(m.Folding, Z3) res = api.Add(res, Y3) - res = api.Mul(m.folding, res) + res = api.Mul(m.Folding, res) res = api.Add(res, X3) return res } @@ -114,7 +114,7 @@ func (c *ProjAddSumcheckCircuit[FR]) Define(api frontend.API) error { func testProjAddSumCheckInstance[FR emulated.FieldParams](t *testing.T, current *big.Int, inputs [][]int) { var fr FR - nativeGate := projAddGate[*BigIntEngine, *big.Int]{folding: big.NewInt(123)} + nativeGate := projAddGate[*BigIntEngine, *big.Int]{Folding: big.NewInt(123)} assert := test.NewAssert(t) inputB := make([][]*big.Int, len(inputs)) for i := range inputB { @@ -168,8 +168,8 @@ func TestProjAddSumCheckSumcheck(t *testing.T) { testProjAddSumCheckInstance[emparams.BN254Fr](t, ecc.BN254.ScalarField(), inputs) } -type dblAddSelectGate[AE ArithEngine[E], E element] struct { - folding []E +type DblAddSelectGate[AE ArithEngine[E], E element] struct { + Folding []E } func projAdd[AE ArithEngine[E], E element](api AE, X1, Y1, Z1, X2, Y2, Z2 E) (X3, Y3, Z3 E) { @@ -248,14 +248,14 @@ func projDbl[AE ArithEngine[E], E element](api AE, X, Y, Z E) (X3, Y3, Z3 E) { return } -func (m dblAddSelectGate[AE, E]) NbInputs() int { return 7 } -func (m dblAddSelectGate[AE, E]) Degree() int { return 5 } -func (m dblAddSelectGate[AE, E]) Evaluate(api AE, vars ...E) E { +func (m DblAddSelectGate[AE, E]) NbInputs() int { return 7 } +func (m DblAddSelectGate[AE, E]) Degree() int { return 5 } +func (m DblAddSelectGate[AE, E]) Evaluate(api AE, vars ...E) E { if len(vars) != m.NbInputs() { panic("incorrect nb of inputs") } - if len(m.folding) != m.NbInputs()-1 { - panic("incorrect nb of folding vars") + if len(m.Folding) != m.NbInputs()-1 { + panic("incorrect nb of Folding vars") } // X1, Y1, Z1 == accumulator X1, Y1, Z1 := vars[0], vars[1], vars[2] @@ -267,13 +267,13 @@ func (m dblAddSelectGate[AE, E]) Evaluate(api AE, vars ...E) E { ResX, ResY, ResZ := projSelect(api, selector, tmpX, tmpY, tmpZ, X2, Y2, Z2) AccX, AccY, AccZ := projDbl(api, X1, Y1, Z1) - // folding part - f0 := api.Mul(m.folding[0], AccX) - f1 := api.Mul(m.folding[1], AccY) - f2 := api.Mul(m.folding[2], AccZ) - f3 := api.Mul(m.folding[3], ResX) - f4 := api.Mul(m.folding[4], ResY) - f5 := api.Mul(m.folding[5], ResZ) + // Folding part + f0 := api.Mul(m.Folding[0], AccX) + f1 := api.Mul(m.Folding[1], AccY) + f2 := api.Mul(m.Folding[2], AccZ) + f3 := api.Mul(m.Folding[3], ResX) + f4 := api.Mul(m.Folding[4], ResY) + f5 := api.Mul(m.Folding[5], ResZ) res := api.Add(f0, f1) res = api.Add(res, f2) res = api.Add(res, f3) @@ -285,7 +285,7 @@ func (m dblAddSelectGate[AE, E]) Evaluate(api AE, vars ...E) E { func TestDblAndAddGate(t *testing.T) { assert := test.NewAssert(t) - nativeGate := dblAddSelectGate[*BigIntEngine, *big.Int]{folding: []*big.Int{ + nativeGate := DblAddSelectGate[*BigIntEngine, *big.Int]{Folding: []*big.Int{ big.NewInt(1), big.NewInt(2), big.NewInt(3), @@ -339,9 +339,9 @@ func (c *ProjDblAddSelectSumcheckCircuit[FR]) Define(api frontend.API) error { for i := range c.EvaluationPoints { evalPoints[i] = polynomial.FromSlice[FR](c.EvaluationPoints[i]) } - claim, err := newGate[FR](api, dblAddSelectGate[*EmuEngine[FR], + claim, err := newGate[FR](api, DblAddSelectGate[*EmuEngine[FR], *emulated.Element[FR]]{ - folding: []*emulated.Element[FR]{ + Folding: []*emulated.Element[FR]{ f.NewElement(1), f.NewElement(2), f.NewElement(3), @@ -361,7 +361,7 @@ func (c *ProjDblAddSelectSumcheckCircuit[FR]) Define(api frontend.API) error { func testProjDblAddSelectSumCheckInstance[FR emulated.FieldParams](t *testing.T, current *big.Int, inputs [][]int) { var fr FR - nativeGate := dblAddSelectGate[*BigIntEngine, *big.Int]{folding: []*big.Int{ + nativeGate := DblAddSelectGate[*BigIntEngine, *big.Int]{Folding: []*big.Int{ big.NewInt(1), big.NewInt(2), big.NewInt(3), diff --git a/std/recursion/sumcheck/sumcheck_test.go b/std/recursion/sumcheck/sumcheck.go similarity index 100% rename from std/recursion/sumcheck/sumcheck_test.go rename to std/recursion/sumcheck/sumcheck.go From 81335d7c2bff87544dbfa5da7e028be32c4b1694 Mon Sep 17 00:00:00 2001 From: ak36 Date: Wed, 3 Jul 2024 21:55:08 -0400 Subject: [PATCH 21/26] commented print patch --- std/math/emulated/field_mul.go | 152 ++++++++++++------------ std/recursion/gkr/gkr_nonnative_test.go | 4 +- 2 files changed, 78 insertions(+), 78 deletions(-) diff --git a/std/math/emulated/field_mul.go b/std/math/emulated/field_mul.go index abc0f3dd87..b47efca856 100644 --- a/std/math/emulated/field_mul.go +++ b/std/math/emulated/field_mul.go @@ -115,100 +115,100 @@ func (mc *mulCheck[T]) cleanEvaluations() { // mulMod returns a*b mod r. In practice it computes the result using a hint and // defers the actual multiplication check. func (f *Field[T]) mulMod(a, b *Element[T], _ uint, p *Element[T]) *Element[T] { - return f.mulModProfiling(a, b, p, true) - // f.enforceWidthConditional(a) - // f.enforceWidthConditional(b) - // f.enforceWidthConditional(p) - //k, r, c, err := f.callMulHint(a, b, true, p) - // if err != nil { - // panic(err) - // } - // mc := mulCheck[T]{ - // f: f, - // a: a, - // b: b, - // c: c, - // k: k, - // r: r, - // p: p, - // } - // f.mulChecks = append(f.mulChecks, mc) - // return r + //return f.mulModProfiling(a, b, p, true) + f.enforceWidthConditional(a) + f.enforceWidthConditional(b) + f.enforceWidthConditional(p) + k, r, c, err := f.callMulHint(a, b, true, p) + if err != nil { + panic(err) + } + mc := mulCheck[T]{ + f: f, + a: a, + b: b, + c: c, + k: k, + r: r, + p: p, + } + f.mulChecks = append(f.mulChecks, mc) + return r } // checkZero creates multiplication check a * 1 = 0 + k*p. func (f *Field[T]) checkZero(a *Element[T], p *Element[T]) { - f.mulModProfiling(a, f.shortOne(), p, false) + //f.mulModProfiling(a, f.shortOne(), p, false) // the method works similarly to mulMod, but we know that we are multiplying // by one and expected result should be zero. - // f.enforceWidthConditional(a) - // f.enforceWidthConditional(p) - // b := f.shortOne() - // k, r, c, err := f.callMulHint(a, b, false, p) - // if err != nil { - // panic(err) - // } - // mc := mulCheck[T]{ - // f: f, - // a: a, - // b: b, // one on single limb to speed up the polynomial evaluation - // c: c, - // k: k, - // r: r, // expected to be zero on zero limbs. - // p: p, - // } - // f.mulChecks = append(f.mulChecks, mc) -} - -func (f *Field[T]) mulModProfiling(a, b *Element[T], p *Element[T], isMulMod bool) *Element[T] { f.enforceWidthConditional(a) - f.enforceWidthConditional(b) - k, r, c, err := f.callMulHint(a, b, isMulMod, p) + f.enforceWidthConditional(p) + b := f.shortOne() + k, r, c, err := f.callMulHint(a, b, false, p) if err != nil { panic(err) } mc := mulCheck[T]{ f: f, a: a, - b: b, + b: b, // one on single limb to speed up the polynomial evaluation c: c, k: k, - r: r, + r: r, // expected to be zero on zero limbs. + p: p, } - var toCommit []frontend.Variable - toCommit = append(toCommit, mc.a.Limbs...) - toCommit = append(toCommit, mc.b.Limbs...) - toCommit = append(toCommit, mc.r.Limbs...) - toCommit = append(toCommit, mc.k.Limbs...) - toCommit = append(toCommit, mc.c.Limbs...) - multicommit.WithCommitment(f.api, func(api frontend.API, commitment frontend.Variable) error { - // we do nothing. We just want to ensure that we count the commitments - return nil - }, toCommit...) - // XXX: or use something variable to count the commitments and constraints properly. Maybe can use 123 from hint? - commitment := 123 - - // for efficiency, we compute all powers of the challenge as slice at. - coefsLen := max(len(mc.a.Limbs), len(mc.b.Limbs), - len(mc.c.Limbs), len(mc.k.Limbs)) - at := make([]frontend.Variable, coefsLen) - at[0] = commitment - for i := 1; i < len(at); i++ { - at[i] = f.api.Mul(at[i-1], commitment) - } - mc.evalRound1(at) - mc.evalRound2(at) - // evaluate p(X) at challenge - pval := f.evalWithChallenge(f.Modulus(), at) - // compute (2^t-X) at challenge - coef := big.NewInt(1) - coef.Lsh(coef, f.fParams.BitsPerLimb()) - ccoef := f.api.Sub(coef, commitment) - // verify all mulchecks - mc.check(f.api, pval.evaluation, ccoef) - return r + f.mulChecks = append(f.mulChecks, mc) } +// func (f *Field[T]) mulModProfiling(a, b *Element[T], p *Element[T], isMulMod bool) *Element[T] { +// f.enforceWidthConditional(a) +// f.enforceWidthConditional(b) +// k, r, c, err := f.callMulHint(a, b, isMulMod, p) +// if err != nil { +// panic(err) +// } +// mc := mulCheck[T]{ +// f: f, +// a: a, +// b: b, +// c: c, +// k: k, +// r: r, +// } +// var toCommit []frontend.Variable +// toCommit = append(toCommit, mc.a.Limbs...) +// toCommit = append(toCommit, mc.b.Limbs...) +// toCommit = append(toCommit, mc.r.Limbs...) +// toCommit = append(toCommit, mc.k.Limbs...) +// toCommit = append(toCommit, mc.c.Limbs...) +// multicommit.WithCommitment(f.api, func(api frontend.API, commitment frontend.Variable) error { +// // we do nothing. We just want to ensure that we count the commitments +// return nil +// }, toCommit...) +// // XXX: or use something variable to count the commitments and constraints properly. Maybe can use 123 from hint? +// commitment := 123 + +// // for efficiency, we compute all powers of the challenge as slice at. +// coefsLen := max(len(mc.a.Limbs), len(mc.b.Limbs), +// len(mc.c.Limbs), len(mc.k.Limbs)) +// at := make([]frontend.Variable, coefsLen) +// at[0] = commitment +// for i := 1; i < len(at); i++ { +// at[i] = f.api.Mul(at[i-1], commitment) +// } +// mc.evalRound1(at) +// mc.evalRound2(at) +// // evaluate p(X) at challenge +// pval := f.evalWithChallenge(f.Modulus(), at) +// // compute (2^t-X) at challenge +// coef := big.NewInt(1) +// coef.Lsh(coef, f.fParams.BitsPerLimb()) +// ccoef := f.api.Sub(coef, commitment) +// // verify all mulchecks +// mc.check(f.api, pval.evaluation, ccoef) +// return r +// } + // evalWithChallenge represents element a as a polynomial a(X) and evaluates at // at[0]. For efficiency, we use already evaluated powers of at[0] given by at. // It stores the evaluation result inside the Element and marks it as evaluated. diff --git a/std/recursion/gkr/gkr_nonnative_test.go b/std/recursion/gkr/gkr_nonnative_test.go index 6b3304df99..b648410ba1 100644 --- a/std/recursion/gkr/gkr_nonnative_test.go +++ b/std/recursion/gkr/gkr_nonnative_test.go @@ -296,7 +296,7 @@ func getCircuitEmulated[FR emulated.FieldParams](path string) (circuit CircuitEm if bytes, err = os.ReadFile(path); err == nil { var circuitInfo CircuitInfo if err = json.Unmarshal(bytes, &circuitInfo); err == nil { - circuit, err = toCircuitEmulated[FR](circuitInfo) + circuit, err = ToCircuitEmulated[FR](circuitInfo) if err == nil { circuitCache[path] = circuit } @@ -305,7 +305,7 @@ func getCircuitEmulated[FR emulated.FieldParams](path string) (circuit CircuitEm return } -func toCircuitEmulated[FR emulated.FieldParams](c CircuitInfo) (circuit CircuitEmulated[FR], err error) { +func ToCircuitEmulated[FR emulated.FieldParams](c CircuitInfo) (circuit CircuitEmulated[FR], err error) { var GatesEmulated = map[string]GateEmulated[FR]{ "identity": IdentityGate[*sumcheck.EmuEngine[FR], *emulated.Element[FR]]{}, "add": AddGate[*sumcheck.EmuEngine[FR], *emulated.Element[FR]]{}, From 29c23c56e05ec5cc2da8beecae39879861ad669e Mon Sep 17 00:00:00 2001 From: ak36 Date: Wed, 3 Jul 2024 21:59:26 -0400 Subject: [PATCH 22/26] changes from gofmt --- frontend/variable.go | 2 +- std/fiat-shamir/settings.go | 8 +- std/gkr/gkr_test.go | 10 +- std/math/emulated/element.go | 2 +- std/math/emulated/field_ops.go | 6 +- std/math/polynomial/polynomial.go | 2 +- std/polynomial/polynomial.go | 6 +- std/recursion/gkr/gkr_nonnative.go | 22 ++--- std/recursion/gkr/gkr_nonnative_test.go | 95 +++++++++--------- std/recursion/gkr/scalar_mul.go | 126 ++++++++++++++++++++++++ std/recursion/gkr/utils/util.go | 4 +- std/recursion/sumcheck/claim_intf.go | 2 +- std/recursion/sumcheck/polynomial.go | 2 +- std/recursion/sumcheck/proof.go | 2 +- std/recursion/sumcheck/prover.go | 2 +- std/recursion/sumcheck/verifier.go | 2 +- std/sumcheck/sumcheck.go | 2 +- 17 files changed, 210 insertions(+), 85 deletions(-) create mode 100644 std/recursion/gkr/scalar_mul.go diff --git a/frontend/variable.go b/frontend/variable.go index 1567903a33..82d33fbc90 100644 --- a/frontend/variable.go +++ b/frontend/variable.go @@ -16,7 +16,7 @@ limitations under the License. package frontend -import ( +import ( "github.com/consensys/gnark/frontend/internal/expr" ) diff --git a/std/fiat-shamir/settings.go b/std/fiat-shamir/settings.go index cc39cb52f4..2c475e83e4 100644 --- a/std/fiat-shamir/settings.go +++ b/std/fiat-shamir/settings.go @@ -1,11 +1,11 @@ package fiatshamir import ( - "math/big" - gohash "hash" + "github.com/consensys/gnark/frontend" "github.com/consensys/gnark/std/hash" "github.com/consensys/gnark/std/math/emulated" - "github.com/consensys/gnark/frontend" + gohash "hash" + "math/big" ) type Settings struct { @@ -72,4 +72,4 @@ func WithHashFr[FR emulated.FieldParams](hash hash.FieldHasher, baseChallenges . BaseChallenges: baseChallenges, Hash: hash, } -} \ No newline at end of file +} diff --git a/std/gkr/gkr_test.go b/std/gkr/gkr_test.go index f077c7753d..31ebd5c112 100644 --- a/std/gkr/gkr_test.go +++ b/std/gkr/gkr_test.go @@ -3,11 +3,11 @@ package gkr import ( "encoding/json" "fmt" + "math/big" "os" "path/filepath" "reflect" "testing" - "math/big" "github.com/consensys/gnark/backend" "github.com/consensys/gnark/frontend" @@ -135,7 +135,7 @@ func (c *GkrVerifierCircuit) Define(api frontend.API) error { func makeInOutAssignment(c Circuit, inputValues [][]frontend.Variable, outputValues [][]frontend.Variable) WireAssignment { sorted := topologicalSort(c) - res := make(WireAssignment, len(inputValues) + len(outputValues)) + res := make(WireAssignment, len(inputValues)+len(outputValues)) inI, outI := 0, 0 for _, w := range sorted { if w.IsInput() { @@ -166,8 +166,8 @@ type TestCase struct { type TestCaseInfo struct { Hash HashDescription `json:"hash"` Circuit string `json:"circuit"` - Input [][]big.Int `json:"input"` - Output [][]big.Int `json:"output"` + Input [][]big.Int `json:"input"` + Output [][]big.Int `json:"output"` Proof PrintableProof `json:"proof"` } @@ -276,7 +276,7 @@ func (g _select) Degree() int { type PrintableProof []PrintableSumcheckProof type PrintableSumcheckProof struct { - FinalEvalProof interface{} `json:"finalEvalProof"` + FinalEvalProof interface{} `json:"finalEvalProof"` RoundPolyEvaluations [][]interface{} `json:"roundPolyEvaluations"` } diff --git a/std/math/emulated/element.go b/std/math/emulated/element.go index 6ad12d7942..f3da9d3c7c 100644 --- a/std/math/emulated/element.go +++ b/std/math/emulated/element.go @@ -105,4 +105,4 @@ func (e *Element[T]) copy() *Element[T] { r.overflow = e.overflow r.internal = e.internal return &r -} \ No newline at end of file +} diff --git a/std/math/emulated/field_ops.go b/std/math/emulated/field_ops.go index 62f5f6e450..2ef1f26889 100644 --- a/std/math/emulated/field_ops.go +++ b/std/math/emulated/field_ops.go @@ -3,10 +3,10 @@ package emulated import ( "errors" "fmt" - "math/bits" - "math/big" "github.com/consensys/gnark/frontend" "github.com/consensys/gnark/std/selector" + "math/big" + "math/bits" ) // Div computes a/b and returns it. It uses [DivHint] as a hint function. @@ -401,4 +401,4 @@ func (f *Field[T]) String(a *Element[T]) string { func (f *Field[T]) Println(a *Element[T]) { res := f.String(a) fmt.Println(res) -} \ No newline at end of file +} diff --git a/std/math/polynomial/polynomial.go b/std/math/polynomial/polynomial.go index b2acb87c6f..511dc4107d 100644 --- a/std/math/polynomial/polynomial.go +++ b/std/math/polynomial/polynomial.go @@ -120,7 +120,7 @@ func (p *Polynomial[FR]) EvalMultilinear(at []*emulated.Element[FR], M Multiline // EvalMultilinearMany evaluates multilinear polynomials at variable values at. It // returns the evaluations. The method does not mutate the inputs. -// +// // The method allows to share computations of computing the coefficients of the // multilinear polynomials at the given evaluation points. func (p *Polynomial[FR]) EvalMultilinearMany(at []*emulated.Element[FR], M ...Multilinear[FR]) ([]*emulated.Element[FR], error) { diff --git a/std/polynomial/polynomial.go b/std/polynomial/polynomial.go index 5bf398c9f3..4bd0940023 100644 --- a/std/polynomial/polynomial.go +++ b/std/polynomial/polynomial.go @@ -3,8 +3,8 @@ package polynomial import ( "math/bits" - "github.com/consensys/gnark/frontend" "github.com/consensys/gnark-crypto/utils" + "github.com/consensys/gnark/frontend" ) type Polynomial []frontend.Variable @@ -128,8 +128,8 @@ func (m *MultiLin) Eq(api frontend.API, q []frontend.Variable) { for i := range q { // In the comments we use a 1-based index so q[i] = qᵢ₊₁ // go through all assignments of (b₁, ..., bᵢ) ∈ {0,1}ⁱ for j := 0; j < (1 << i); j++ { - j0 := j << (n - i) // bᵢ₊₁ = 0 - j1 := j0 + 1<<(n-1-i) // bᵢ₊₁ = 1 + j0 := j << (n - i) // bᵢ₊₁ = 0 + j1 := j0 + 1<<(n-1-i) // bᵢ₊₁ = 1 (*m)[j1] = api.Mul((*m)[j1], q[i]) // Eq(q₁, ..., qᵢ₊₁, b₁, ..., bᵢ, 1) = Eq(q₁, ..., qᵢ, b₁, ..., bᵢ) Eq(qᵢ₊₁, 1) = Eq(q₁, ..., qᵢ, b₁, ..., bᵢ) qᵢ₊₁ (*m)[j0] = api.Sub((*m)[j0], (*m)[j1]) // Eq(q₁, ..., qᵢ₊₁, b₁, ..., bᵢ, 0) = Eq(q₁, ..., qᵢ, b₁, ..., bᵢ) Eq(qᵢ₊₁, 0) = Eq(q₁, ..., qᵢ, b₁, ..., bᵢ) (1-qᵢ₊₁) } diff --git a/std/recursion/gkr/gkr_nonnative.go b/std/recursion/gkr/gkr_nonnative.go index fd25f184ff..0ae901f02a 100644 --- a/std/recursion/gkr/gkr_nonnative.go +++ b/std/recursion/gkr/gkr_nonnative.go @@ -2,9 +2,6 @@ package gkr import ( "fmt" - "math/big" - "slices" - "strconv" cryptofiatshamir "github.com/consensys/gnark-crypto/fiat-shamir" "github.com/consensys/gnark-crypto/utils" "github.com/consensys/gnark/frontend" @@ -15,6 +12,9 @@ import ( "github.com/consensys/gnark/std/math/polynomial" "github.com/consensys/gnark/std/recursion" "github.com/consensys/gnark/std/recursion/sumcheck" + "math/big" + "slices" + "strconv" ) // Gate must be a low-degree polynomial @@ -31,14 +31,14 @@ type Wire struct { // Gate must be a low-degree polynomial type GateEmulated[FR emulated.FieldParams] interface { - Evaluate(*sumcheck.EmuEngine[FR], ...*emulated.Element[FR]) *emulated.Element[FR] + Evaluate(*sumcheck.EmuEngine[FR], ...*emulated.Element[FR]) *emulated.Element[FR] Degree() int } type WireEmulated[FR emulated.FieldParams] struct { Gate GateEmulated[FR] Inputs []*WireEmulated[FR] // if there are no Inputs, the wire is assumed an input wire - nbUniqueOutputs int // number of other wires using it as input, not counting duplicates (i.e. providing two inputs to the same gate counts as one) + nbUniqueOutputs int // number of other wires using it as input, not counting duplicates (i.e. providing two inputs to the same gate counts as one) } type Circuit []Wire @@ -521,9 +521,9 @@ func WithSortedCircuitEmulated[FR emulated.FieldParams](sorted []*WireEmulated[F // Verifier allows to check sumcheck proofs. See [NewVerifier] for initializing the instance. type GKRVerifier[FR emulated.FieldParams] struct { - api frontend.API - f *emulated.Field[FR] - p *polynomial.Polynomial[FR] + api frontend.API + f *emulated.Field[FR] + p *polynomial.Polynomial[FR] *sumcheck.Config } @@ -783,7 +783,7 @@ func Prove(current *big.Int, target *big.Int, c Circuit, assignment WireAssignme if wire.noProof() { // input wires with one claim only proof[i] = sumcheck.NativeProof{ RoundPolyEvaluations: []sumcheck.NativePolynomial{}, - FinalEvalProof: finalEvalProof, + FinalEvalProof: finalEvalProof, } } else { proof[i], err = sumcheck.Prove( @@ -864,7 +864,7 @@ func (v *GKRVerifier[FR]) Verify(api frontend.API, c CircuitEmulated[FR], assign default: return fmt.Errorf("finalEvalProof is not of type DeferredEvalProof") } - + if (finalEvalProof != nil && proofLen != 0) || len(proofW.RoundPolyEvaluations) != 0 { return fmt.Errorf("no proof allowed for input wire with a single claim") } @@ -1221,7 +1221,7 @@ func DeserializeProof[FR emulated.FieldParams](sorted []*WireEmulated[FR], seria return proof, nil } -type element any +type element any type MulGate[AE sumcheck.ArithEngine[E], E element] struct{} diff --git a/std/recursion/gkr/gkr_nonnative_test.go b/std/recursion/gkr/gkr_nonnative_test.go index b648410ba1..0d4ae6fae3 100644 --- a/std/recursion/gkr/gkr_nonnative_test.go +++ b/std/recursion/gkr/gkr_nonnative_test.go @@ -4,9 +4,9 @@ import ( "encoding/json" "fmt" gohash "hash" + "math/big" "os" "path/filepath" - "math/big" "testing" "github.com/consensys/gnark-crypto/ecc" @@ -15,8 +15,8 @@ import ( fiatshamir "github.com/consensys/gnark/std/fiat-shamir" "github.com/consensys/gnark/std/math/emulated" "github.com/consensys/gnark/std/math/emulated/emparams" - "github.com/consensys/gnark/std/recursion/gkr/utils" "github.com/consensys/gnark/std/recursion" + "github.com/consensys/gnark/std/recursion/gkr/utils" "github.com/consensys/gnark/std/recursion/sumcheck" "github.com/consensys/gnark/test" "github.com/stretchr/testify/assert" @@ -53,7 +53,7 @@ func proofEquals(expected NativeProofs, seen NativeProofs) error { } for i, x := range expected { xSeen := seen[i] - + xfinalEvalProofSeen := xSeen.FinalEvalProof switch finalEvalProof := xfinalEvalProofSeen.(type) { case nil: @@ -69,8 +69,8 @@ func proofEquals(expected NativeProofs, seen NativeProofs) error { return fmt.Errorf("length mismatch %d ≠ %d", 0, len(seenFinalEval)) } } else { - if err := utils.SliceEqualsBigInt(x.FinalEvalProof.(sumcheck.NativeDeferredEvalProof), - xfinalEvalProofSeen.(sumcheck.NativeDeferredEvalProof)); err != nil { + if err := utils.SliceEqualsBigInt(x.FinalEvalProof.(sumcheck.NativeDeferredEvalProof), + xfinalEvalProofSeen.(sumcheck.NativeDeferredEvalProof)); err != nil { return fmt.Errorf("final evaluation proof mismatch") } } @@ -201,10 +201,10 @@ type TestCaseVerifier[FR emulated.FieldParams] struct { } type TestCaseInfo struct { Hash utils.HashDescription `json:"hash"` - Circuit string `json:"circuit"` + Circuit string `json:"circuit"` Input [][]interface{} `json:"input"` - Output [][]interface{} `json:"output"` - Proof PrintableProof `json:"proof"` + Output [][]interface{} `json:"output"` + Proof PrintableProof `json:"proof"` } var testCases = make(map[string]interface{}) @@ -231,7 +231,6 @@ func getTestCase[FR emulated.FieldParams](path string) (*TestCaseVerifier[FR], e return nil, err } - nativeProofs := unmarshalProof(info.Proof) proofs := make(Proofs[FR], len(nativeProofs)) for i, proof := range nativeProofs { @@ -351,42 +350,42 @@ func toCircuit(c CircuitInfo) (circuit Circuit, err error) { type PrintableProof []PrintableSumcheckProof type PrintableSumcheckProof struct { - FinalEvalProof [][]uint64 `json:"finalEvalProof"` - RoundPolyEvaluations [][][]uint64 `json:"roundPolyEvaluations"` + FinalEvalProof [][]uint64 `json:"finalEvalProof"` + RoundPolyEvaluations [][][]uint64 `json:"roundPolyEvaluations"` } func unmarshalProof(printable []PrintableSumcheckProof) (proof NativeProofs) { - proof = make(NativeProofs, len(printable)) - - for i := range printable { - if printable[i].FinalEvalProof != nil { - finalEvalProof := make(sumcheck.NativeDeferredEvalProof, len(printable[i].FinalEvalProof)) - for k, val := range printable[i].FinalEvalProof { - var temp big.Int - temp.SetUint64(val[0]) - for _, v := range val[1:] { - temp.Lsh(&temp, 64).Add(&temp, new(big.Int).SetUint64(v)) - } - finalEvalProof[k] = temp - } - proof[i].FinalEvalProof = finalEvalProof - } else { - proof[i].FinalEvalProof = nil - } - - proof[i].RoundPolyEvaluations = make([]sumcheck.NativePolynomial, len(printable[i].RoundPolyEvaluations)) - for k, evals := range printable[i].RoundPolyEvaluations { - proof[i].RoundPolyEvaluations[k] = make(sumcheck.NativePolynomial, len(evals)) - for j, eval := range evals { - var temp big.Int - temp.SetUint64(eval[0]) - for _, v := range eval[1:] { - temp.Lsh(&temp, 64).Add(&temp, new(big.Int).SetUint64(v)) - } - proof[i].RoundPolyEvaluations[k][j] = &temp - } - } - } + proof = make(NativeProofs, len(printable)) + + for i := range printable { + if printable[i].FinalEvalProof != nil { + finalEvalProof := make(sumcheck.NativeDeferredEvalProof, len(printable[i].FinalEvalProof)) + for k, val := range printable[i].FinalEvalProof { + var temp big.Int + temp.SetUint64(val[0]) + for _, v := range val[1:] { + temp.Lsh(&temp, 64).Add(&temp, new(big.Int).SetUint64(v)) + } + finalEvalProof[k] = temp + } + proof[i].FinalEvalProof = finalEvalProof + } else { + proof[i].FinalEvalProof = nil + } + + proof[i].RoundPolyEvaluations = make([]sumcheck.NativePolynomial, len(printable[i].RoundPolyEvaluations)) + for k, evals := range printable[i].RoundPolyEvaluations { + proof[i].RoundPolyEvaluations[k] = make(sumcheck.NativePolynomial, len(evals)) + for j, eval := range evals { + var temp big.Int + temp.SetUint64(eval[0]) + for _, v := range eval[1:] { + temp.Lsh(&temp, 64).Add(&temp, new(big.Int).SetUint64(v)) + } + proof[i].RoundPolyEvaluations[k][j] = &temp + } + } + } return proof } @@ -473,7 +472,7 @@ func TestTopSortWide(t *testing.T) { var mimcSnarkTotalCalls = 0 -//todo add ark +// todo add ark type MiMCCipherGate struct { } @@ -512,7 +511,7 @@ type TestCase struct { Current big.Int Target big.Int Circuit Circuit - Hash gohash.Hash + Hash gohash.Hash Proof NativeProofs FullAssignment WireAssignment InOutAssignment WireAssignment @@ -520,8 +519,8 @@ type TestCase struct { func (p *PrintableSumcheckProof) UnmarshalJSON(data []byte) error { var temp struct { - FinalEvalProof [][]uint64 `json:"finalEvalProof"` - RoundPolyEvaluations [][][]uint64 `json:"roundPolyEvaluations"` + FinalEvalProof [][]uint64 `json:"finalEvalProof"` + RoundPolyEvaluations [][][]uint64 `json:"roundPolyEvaluations"` } if err := json.Unmarshal(data, &temp); err != nil { @@ -554,7 +553,7 @@ func newTestCase(path string, target big.Int) (*TestCase, error) { if !ok { var bytes []byte if bytes, err = os.ReadFile(path); err == nil { - var info TestCaseInfo + var info TestCaseInfo err = json.Unmarshal(bytes, &info) if err != nil { return nil, err @@ -570,7 +569,7 @@ func newTestCase(path string, target big.Int) (*TestCase, error) { } proof := unmarshalProof(info.Proof) - + fullAssignment := make(WireAssignment) inOutAssignment := make(WireAssignment) diff --git a/std/recursion/gkr/scalar_mul.go b/std/recursion/gkr/scalar_mul.go new file mode 100644 index 0000000000..58aed8fa32 --- /dev/null +++ b/std/recursion/gkr/scalar_mul.go @@ -0,0 +1,126 @@ +package gkr + +import ( + //"fmt" + //gohash "hash" + "math/big" + "testing" + + //fiatshamir "github.com/consensys/gnark/std/fiat-shamir" + "github.com/consensys/gnark/std/math/emulated" + //"github.com/consensys/gnark/std/recursion/gkr/utils" + "github.com/consensys/gnark/std/recursion/sumcheck" + //"github.com/consensys/gnark/test" +) + +func testProjDblAddSelectGKRInstance[FR emulated.FieldParams](t *testing.T, current *big.Int, target *big.Int, inputs [][]int) { + //var fr FR + c := make(Circuit, 3) + c[1] = Wire{ + Gate: sumcheck.DblAddSelectGate[*sumcheck.BigIntEngine, *big.Int]{ + Folding: []*big.Int{ + big.NewInt(1), + big.NewInt(2), + big.NewInt(3), + big.NewInt(4), + big.NewInt(5), + big.NewInt(6), + }, + }, + Inputs: []*Wire{&c[0]}, + } + + // val1 := emulated.ValueOf[FR](1) + // val2 := emulated.ValueOf[FR](2) + // val3 := emulated.ValueOf[FR](3) + // val4 := emulated.ValueOf[FR](4) + // val5 := emulated.ValueOf[FR](5) + // val6 := emulated.ValueOf[FR](6) + // cEmulated := make(CircuitEmulated[FR], len(c)) + // cEmulated[1] = WireEmulated[FR]{ + // Gate: sumcheck.DblAddSelectGate[*sumcheck.EmuEngine[FR], *emulated.Element[FR]]{ + // Folding: []*emulated.Element[FR]{ + // &val1, + // &val2, + // &val3, + // &val4, + // &val5, + // &val6, + // }, + // }, + // Inputs: []*WireEmulated[FR]{&cEmulated[0]}, + // } + + // assert := test.NewAssert(t) + // inputB := make([][]*big.Int, len(inputs)) + // for i := range inputB { + // inputB[i] = make([]*big.Int, len(inputs[i])) + // for j := range inputs[i] { + // inputB[i][j] = big.NewInt(int64(inputs[i][j])) + // } + // } + + // var hash gohash.Hash + // hash, err := utils.HashFromDescription(map[string]interface{}{ + // "hash": map[string]interface{}{ + // "type": "const", + // "val": -1, + // }, + // }) + // assert.NoError(err) + + // t.Log("Evaluating all circuit wires") + // assignment := WireAssignment{&c[0]: inputAssignments[0], &c[1]: inputAssignments[1]}.Complete(c, target) + // t.Log("Circuit evaluation complete") + // proof, err := Prove(current, target, c, assignment, fiatshamir.WithHashBigInt(hash)) + // assert.NoError(err) + // fmt.Println(proof) + // //assert.NoError(proofEquals(testCase.Proof, proof)) + + // t.Log("Proof complete") + + // evalPointsB, evalPointsPH, evalPointsC := getChallengeEvaluationPoints[FR](inputB) + // claim, evals, err := newNativeGate(fr.Modulus(), nativeGate, inputB, evalPointsB) + // assert.NoError(err) + // proof, err := Prove(current, fr.Modulus(), claim) + // assert.NoError(err) + // nbVars := bits.Len(uint(len(inputs[0]))) - 1 + // circuit := &ProjDblAddSelectSumcheckCircuit[FR]{ + // Inputs: make([][]emulated.Element[FR], len(inputs)), + // Proof: placeholderGateProof[FR](nbVars, nativeGate.Degree()), + // EvaluationPoints: evalPointsPH, + // Claimed: make([]emulated.Element[FR], 1), + // } + // assignment := &ProjDblAddSelectSumcheckCircuit[FR]{ + // Inputs: make([][]emulated.Element[FR], len(inputs)), + // Proof: ValueOfProof[FR](proof), + // EvaluationPoints: evalPointsC, + // Claimed: []emulated.Element[FR]{emulated.ValueOf[FR](evals[0])}, + // } + // for i := range inputs { + // circuit.Inputs[i] = make([]emulated.Element[FR], len(inputs[i])) + // assignment.Inputs[i] = make([]emulated.Element[FR], len(inputs[i])) + // for j := range inputs[i] { + // assignment.Inputs[i][j] = emulated.ValueOf[FR](inputs[i][j]) + // } + // } + // err = test.IsSolved(circuit, assignment, current) + // assert.NoError(err) +} + +// func TestProjDblAddSelectSumCheckSumcheck(t *testing.T) { +// // testProjDblAddSelectSumCheckInstance[emparams.BN254Fr](t, ecc.BN254.ScalarField(), [][]int{{4, 3}, {2, 3}, {3, 6}, {4, 9}, {13, 3}, {31, 9}}) +// // testProjDblAddSelectSumCheckInstance[emparams.BN254Fr](t, ecc.BN254.ScalarField(), [][]int{{1, 2, 3, 4}, {5, 6, 7, 8}}) +// // testProjDblAddSelectSumCheckInstance[emparams.BN254Fr](t, ecc.BN254.ScalarField(), [][]int{{1, 2, 3, 4, 5, 6, 7, 8}, {11, 12, 13, 14, 15, 16, 17, 18}}) +// inputs := [][]int{{0}, {1}, {2}, {3}, {4}, {5}, {6}} +// for i := 1; i < (1 << 14); i++ { +// inputs[0] = append(inputs[0], (inputs[0][i-1]-1)*(inputs[0][i-1]-1)) +// inputs[1] = append(inputs[1], (inputs[0][i-1]+1)*2) +// inputs[2] = append(inputs[2], (inputs[1][i-1]+2)*7) +// inputs[3] = append(inputs[3], (inputs[2][i-1]+3)*6) +// inputs[4] = append(inputs[4], (inputs[3][i-1]+4)*5) +// inputs[5] = append(inputs[5], (inputs[4][i-1]+5)*4) +// inputs[6] = append(inputs[6], (inputs[5][i-1]+6)*3) +// } +// testProjDblAddSelectSumCheckInstance[emparams.BN254Fr](t, ecc.BN254.ScalarField(), inputs) +// } diff --git a/std/recursion/gkr/utils/util.go b/std/recursion/gkr/utils/util.go index b4c2f75624..fde31ffee9 100644 --- a/std/recursion/gkr/utils/util.go +++ b/std/recursion/gkr/utils/util.go @@ -2,9 +2,9 @@ package utils import ( "fmt" + gohash "hash" "math/big" "testing" - gohash "hash" "github.com/consensys/gnark/frontend" "github.com/consensys/gnark/std/hash" @@ -190,4 +190,4 @@ func NewMessageCounterGeneratorEmulated(startState, step int) func(frontend.API) return func(api frontend.API) hash.FieldHasher { return NewMessageCounterEmulated(api, startState, step) } -} \ No newline at end of file +} diff --git a/std/recursion/sumcheck/claim_intf.go b/std/recursion/sumcheck/claim_intf.go index a71bb66d36..731234debd 100644 --- a/std/recursion/sumcheck/claim_intf.go +++ b/std/recursion/sumcheck/claim_intf.go @@ -36,4 +36,4 @@ type claims interface { Next(r *big.Int) NativePolynomial // ProverFinalEval returns the (lazy) evaluation proof. ProverFinalEval(r []*big.Int) NativeEvaluationProof -} \ No newline at end of file +} diff --git a/std/recursion/sumcheck/polynomial.go b/std/recursion/sumcheck/polynomial.go index 3bea58646e..3e0da31a38 100644 --- a/std/recursion/sumcheck/polynomial.go +++ b/std/recursion/sumcheck/polynomial.go @@ -19,7 +19,7 @@ func (p NativeMultilinear) Clone(capacity ...int) NativeMultilinear { } else { newCapacity = len(p) } - + res := make(NativeMultilinear, len(p), newCapacity) for i, v := range p { res[i] = new(big.Int).Set(v) diff --git a/std/recursion/sumcheck/proof.go b/std/recursion/sumcheck/proof.go index a651afcffe..67e28fb7ef 100644 --- a/std/recursion/sumcheck/proof.go +++ b/std/recursion/sumcheck/proof.go @@ -29,7 +29,7 @@ type NativeProof struct { // - if it is deferred, then it is a slice. type EvaluationProof any -// evaluationProof for gkr +// evaluationProof for gkr type DeferredEvalProof[FR emulated.FieldParams] []emulated.Element[FR] type NativeDeferredEvalProof []big.Int diff --git a/std/recursion/sumcheck/prover.go b/std/recursion/sumcheck/prover.go index 4bcaf70ab2..d79c467db8 100644 --- a/std/recursion/sumcheck/prover.go +++ b/std/recursion/sumcheck/prover.go @@ -84,4 +84,4 @@ func Prove(current *big.Int, target *big.Int, claims claims, opts ...proverOptio proof.FinalEvalProof = claims.ProverFinalEval(challenges) return proof, nil -} \ No newline at end of file +} diff --git a/std/recursion/sumcheck/verifier.go b/std/recursion/sumcheck/verifier.go index 10d64f7daf..4224d8a56d 100644 --- a/std/recursion/sumcheck/verifier.go +++ b/std/recursion/sumcheck/verifier.go @@ -178,4 +178,4 @@ func (v *Verifier[FR]) Verify(claims LazyClaims[FR], proof Proof[FR], opts ...Ve } return nil -} \ No newline at end of file +} diff --git a/std/sumcheck/sumcheck.go b/std/sumcheck/sumcheck.go index cf290f4aef..9a278bf7e7 100644 --- a/std/sumcheck/sumcheck.go +++ b/std/sumcheck/sumcheck.go @@ -21,7 +21,7 @@ type LazyClaims interface { // Proof of a multi-sumcheck statement. type Proof struct { RoundPolyEvaluations []polynomial.Polynomial - FinalEvalProof interface{} + FinalEvalProof interface{} } func setupTranscript(api frontend.API, claimsNum int, varsNum int, settings *fiatshamir.Settings) ([]string, error) { From 3a72147610488f42dd57bfdf81c5fba37317484f Mon Sep 17 00:00:00 2001 From: ak36 Date: Wed, 3 Jul 2024 22:11:56 -0400 Subject: [PATCH 23/26] fixed lint --- std/recursion/gkr/gkr_nonnative.go | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/std/recursion/gkr/gkr_nonnative.go b/std/recursion/gkr/gkr_nonnative.go index 0ae901f02a..9949792db5 100644 --- a/std/recursion/gkr/gkr_nonnative.go +++ b/std/recursion/gkr/gkr_nonnative.go @@ -793,18 +793,6 @@ func Prove(current *big.Int, target *big.Int, c Circuit, assignment WireAssignme return proof, err } - finalEvalProof := proof[i].FinalEvalProof - switch finalEvalProof := finalEvalProof.(type) { - case nil: - finalEvalProof = sumcheck.NativeDeferredEvalProof([]big.Int{}) - case []big.Int: - finalEvalProofLen = len(finalEvalProof) - finalEvalProof = sumcheck.NativeDeferredEvalProof(finalEvalProof) - default: - return nil, fmt.Errorf("finalEvalProof is not of type DeferredEvalProof") - } - - proof[i].FinalEvalProof = finalEvalProof baseChallenge = make([]*big.Int, finalEvalProofLen) for i := 0; i < finalEvalProofLen; i++ { baseChallenge[i] = &finalEvalProof.([]big.Int)[i] From b34071a4de26684ae4382c2faa5724d29adfc4cf Mon Sep 17 00:00:00 2001 From: ak36 Date: Wed, 3 Jul 2024 22:12:57 -0400 Subject: [PATCH 24/26] removed TestLogNbInstances --- std/recursion/gkr/gkr_nonnative_test.go | 20 -------------------- 1 file changed, 20 deletions(-) diff --git a/std/recursion/gkr/gkr_nonnative_test.go b/std/recursion/gkr/gkr_nonnative_test.go index 0d4ae6fae3..f3dfab3760 100644 --- a/std/recursion/gkr/gkr_nonnative_test.go +++ b/std/recursion/gkr/gkr_nonnative_test.go @@ -389,26 +389,6 @@ func unmarshalProof(printable []PrintableSumcheckProof) (proof NativeProofs) { return proof } -func TestLogNbInstances(t *testing.T) { - type FR = emulated.BN254Fp - testLogNbInstances := func(path string) func(t *testing.T) { - return func(t *testing.T) { - testCase, err := getTestCase[FR](path) - assert.NoError(t, err) - wires := topologicalSortEmulated(testCase.Circuit) - serializedProof := testCase.Proof.Serialize() - logNbInstances := computeLogNbInstances(wires, len(serializedProof)) - assert.Equal(t, 1, logNbInstances) - } - } - - cases := []string{"two_inputs_select-input-3_gate_two_instances", "two_identity_gates_composed_single_input_two_instances"} - - for _, caseName := range cases { - t.Run("log_nb_instances:"+caseName, testLogNbInstances("test_vectors/"+caseName+".json")) - } -} - func TestLoadCircuit(t *testing.T) { type FR = emulated.BN254Fp c, err := getCircuitEmulated[FR]("test_vectors/resources/two_identity_gates_composed_single_input.json") From 47bad489364cac6921b4df9e075af73a0bbba346 Mon Sep 17 00:00:00 2001 From: ak36 Date: Mon, 8 Jul 2024 22:22:15 -0400 Subject: [PATCH 25/26] dbladdgkr passes --- go.mod | 1 - go.sum | 2 - std/math/emulated/field_mul.go | 152 ++++---- std/recursion/gkr/gkr_nonnative.go | 18 +- std/recursion/gkr/gkr_nonnative_test.go | 383 ++++++++++++++++++- std/recursion/gkr/scalar_mul.go | 126 ------ std/recursion/gkr/utils/util.go | 2 + std/recursion/sumcheck/fullscalarmul_test.go | 184 +++++++++ std/recursion/sumcheck/scalarmul_gates.go | 12 +- 9 files changed, 653 insertions(+), 227 deletions(-) delete mode 100644 std/recursion/gkr/scalar_mul.go create mode 100644 std/recursion/sumcheck/fullscalarmul_test.go diff --git a/go.mod b/go.mod index 69aa38fd8d..4805c741f0 100644 --- a/go.mod +++ b/go.mod @@ -33,7 +33,6 @@ require ( github.com/pmezard/go-difflib v1.0.0 // indirect github.com/rogpeppe/go-internal v1.11.0 // indirect github.com/x448/float16 v0.8.4 // indirect - golang.org/dl v0.0.0-20240621154342-20a4bcbb3ee2 // indirect golang.org/x/sys v0.15.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect rsc.io/tmplfunc v0.0.3 // indirect diff --git a/go.sum b/go.sum index 4b5b09748b..99806d860f 100644 --- a/go.sum +++ b/go.sum @@ -57,8 +57,6 @@ github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcU github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM= github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg= -golang.org/dl v0.0.0-20240621154342-20a4bcbb3ee2 h1:pV/1u+ib3c3Lhedg7EeTXMmyo7pKi7xHFH++3qlpxV8= -golang.org/dl v0.0.0-20240621154342-20a4bcbb3ee2/go.mod h1:fwQ+hlTD8I6TIzOGkQqxQNfE2xqR+y7SzGaDkksVFkw= golang.org/x/crypto v0.17.0 h1:r8bRNjWL3GshPW3gkd+RpvzWrZAwPS49OmTGZ/uhM4k= golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4= golang.org/x/exp v0.0.0-20230817173708-d852ddb80c63 h1:m64FZMko/V45gv0bNmrNYoDEq8U5YUhetc9cBWKS1TQ= diff --git a/std/math/emulated/field_mul.go b/std/math/emulated/field_mul.go index b47efca856..5177873adf 100644 --- a/std/math/emulated/field_mul.go +++ b/std/math/emulated/field_mul.go @@ -115,99 +115,99 @@ func (mc *mulCheck[T]) cleanEvaluations() { // mulMod returns a*b mod r. In practice it computes the result using a hint and // defers the actual multiplication check. func (f *Field[T]) mulMod(a, b *Element[T], _ uint, p *Element[T]) *Element[T] { - //return f.mulModProfiling(a, b, p, true) - f.enforceWidthConditional(a) - f.enforceWidthConditional(b) - f.enforceWidthConditional(p) - k, r, c, err := f.callMulHint(a, b, true, p) - if err != nil { - panic(err) - } - mc := mulCheck[T]{ - f: f, - a: a, - b: b, - c: c, - k: k, - r: r, - p: p, - } - f.mulChecks = append(f.mulChecks, mc) - return r + return f.mulModProfiling(a, b, p, true) + // f.enforceWidthConditional(a) + // f.enforceWidthConditional(b) + // f.enforceWidthConditional(p) + // k, r, c, err := f.callMulHint(a, b, true, p) + // if err != nil { + // panic(err) + // } + // mc := mulCheck[T]{ + // f: f, + // a: a, + // b: b, + // c: c, + // k: k, + // r: r, + // p: p, + // } + // f.mulChecks = append(f.mulChecks, mc) + // return r } // checkZero creates multiplication check a * 1 = 0 + k*p. func (f *Field[T]) checkZero(a *Element[T], p *Element[T]) { - //f.mulModProfiling(a, f.shortOne(), p, false) + f.mulModProfiling(a, f.shortOne(), p, false) // the method works similarly to mulMod, but we know that we are multiplying // by one and expected result should be zero. + // f.enforceWidthConditional(a) + // f.enforceWidthConditional(p) + // b := f.shortOne() + // k, r, c, err := f.callMulHint(a, b, false, p) + // if err != nil { + // panic(err) + // } + // mc := mulCheck[T]{ + // f: f, + // a: a, + // b: b, // one on single limb to speed up the polynomial evaluation + // c: c, + // k: k, + // r: r, // expected to be zero on zero limbs. + // p: p, + // } + // f.mulChecks = append(f.mulChecks, mc) +} + +func (f *Field[T]) mulModProfiling(a, b *Element[T], p *Element[T], isMulMod bool) *Element[T] { f.enforceWidthConditional(a) - f.enforceWidthConditional(p) - b := f.shortOne() - k, r, c, err := f.callMulHint(a, b, false, p) + f.enforceWidthConditional(b) + k, r, c, err := f.callMulHint(a, b, isMulMod, p) if err != nil { panic(err) } mc := mulCheck[T]{ f: f, a: a, - b: b, // one on single limb to speed up the polynomial evaluation + b: b, c: c, k: k, - r: r, // expected to be zero on zero limbs. - p: p, + r: r, } - f.mulChecks = append(f.mulChecks, mc) -} - -// func (f *Field[T]) mulModProfiling(a, b *Element[T], p *Element[T], isMulMod bool) *Element[T] { -// f.enforceWidthConditional(a) -// f.enforceWidthConditional(b) -// k, r, c, err := f.callMulHint(a, b, isMulMod, p) -// if err != nil { -// panic(err) -// } -// mc := mulCheck[T]{ -// f: f, -// a: a, -// b: b, -// c: c, -// k: k, -// r: r, -// } -// var toCommit []frontend.Variable -// toCommit = append(toCommit, mc.a.Limbs...) -// toCommit = append(toCommit, mc.b.Limbs...) -// toCommit = append(toCommit, mc.r.Limbs...) -// toCommit = append(toCommit, mc.k.Limbs...) -// toCommit = append(toCommit, mc.c.Limbs...) -// multicommit.WithCommitment(f.api, func(api frontend.API, commitment frontend.Variable) error { -// // we do nothing. We just want to ensure that we count the commitments -// return nil -// }, toCommit...) -// // XXX: or use something variable to count the commitments and constraints properly. Maybe can use 123 from hint? -// commitment := 123 + var toCommit []frontend.Variable + toCommit = append(toCommit, mc.a.Limbs...) + toCommit = append(toCommit, mc.b.Limbs...) + toCommit = append(toCommit, mc.r.Limbs...) + toCommit = append(toCommit, mc.k.Limbs...) + toCommit = append(toCommit, mc.c.Limbs...) + multicommit.WithCommitment(f.api, func(api frontend.API, commitment frontend.Variable) error { + // we do nothing. We just want to ensure that we count the commitments + return nil + }, toCommit...) + // XXX: or use something variable to count the commitments and constraints properly. Maybe can use 123 from hint? + commitment := 123 -// // for efficiency, we compute all powers of the challenge as slice at. -// coefsLen := max(len(mc.a.Limbs), len(mc.b.Limbs), -// len(mc.c.Limbs), len(mc.k.Limbs)) -// at := make([]frontend.Variable, coefsLen) -// at[0] = commitment -// for i := 1; i < len(at); i++ { -// at[i] = f.api.Mul(at[i-1], commitment) -// } -// mc.evalRound1(at) -// mc.evalRound2(at) -// // evaluate p(X) at challenge -// pval := f.evalWithChallenge(f.Modulus(), at) -// // compute (2^t-X) at challenge -// coef := big.NewInt(1) -// coef.Lsh(coef, f.fParams.BitsPerLimb()) -// ccoef := f.api.Sub(coef, commitment) -// // verify all mulchecks -// mc.check(f.api, pval.evaluation, ccoef) -// return r -// } + // for efficiency, we compute all powers of the challenge as slice at. + coefsLen := max(len(mc.a.Limbs), len(mc.b.Limbs), + len(mc.c.Limbs), len(mc.k.Limbs)) + at := make([]frontend.Variable, coefsLen) + at[0] = commitment + for i := 1; i < len(at); i++ { + at[i] = f.api.Mul(at[i-1], commitment) + } + mc.evalRound1(at) + mc.evalRound2(at) + // evaluate p(X) at challenge + pval := f.evalWithChallenge(f.Modulus(), at) + // compute (2^t-X) at challenge + coef := big.NewInt(1) + coef.Lsh(coef, f.fParams.BitsPerLimb()) + ccoef := f.api.Sub(coef, commitment) + // verify all mulchecks + mc.check(f.api, pval.evaluation, ccoef) + return r +} // evalWithChallenge represents element a as a polynomial a(X) and evaluates at // at[0]. For efficiency, we use already evaluated powers of at[0] given by at. diff --git a/std/recursion/gkr/gkr_nonnative.go b/std/recursion/gkr/gkr_nonnative.go index 9949792db5..191fec699f 100644 --- a/std/recursion/gkr/gkr_nonnative.go +++ b/std/recursion/gkr/gkr_nonnative.go @@ -1,4 +1,4 @@ -package gkr +package gkrnonative import ( "fmt" @@ -778,12 +778,11 @@ func Prove(current *big.Int, target *big.Int, c Circuit, assignment WireAssignme claim := claims.getClaim(be, wire) var finalEvalProofLen int - finalEvalProof := proof[i].FinalEvalProof if wire.noProof() { // input wires with one claim only proof[i] = sumcheck.NativeProof{ RoundPolyEvaluations: []sumcheck.NativePolynomial{}, - FinalEvalProof: finalEvalProof, + FinalEvalProof: sumcheck.NativeDeferredEvalProof([]big.Int{}), } } else { proof[i], err = sumcheck.Prove( @@ -793,6 +792,19 @@ func Prove(current *big.Int, target *big.Int, c Circuit, assignment WireAssignme return proof, err } + finalEvalProof := proof[i].FinalEvalProof + switch finalEvalProof := finalEvalProof.(type) { + case nil: + finalEvalProofCasted := sumcheck.NativeDeferredEvalProof([]big.Int{}) + proof[i].FinalEvalProof = finalEvalProofCasted + case []big.Int: + finalEvalProofLen = len(finalEvalProof) + finalEvalProofCasted := sumcheck.NativeDeferredEvalProof(finalEvalProof) + proof[i].FinalEvalProof = finalEvalProofCasted + default: + return nil, fmt.Errorf("finalEvalProof is not of type DeferredEvalProof") + } + baseChallenge = make([]*big.Int, finalEvalProofLen) for i := 0; i < finalEvalProofLen; i++ { baseChallenge[i] = &finalEvalProof.([]big.Int)[i] diff --git a/std/recursion/gkr/gkr_nonnative_test.go b/std/recursion/gkr/gkr_nonnative_test.go index f3dfab3760..a766172f6c 100644 --- a/std/recursion/gkr/gkr_nonnative_test.go +++ b/std/recursion/gkr/gkr_nonnative_test.go @@ -1,4 +1,4 @@ -package gkr +package gkrnonative import ( "encoding/json" @@ -10,11 +10,15 @@ import ( "testing" "github.com/consensys/gnark-crypto/ecc" + "github.com/consensys/gnark-crypto/ecc/bn254" + fpbn254 "github.com/consensys/gnark-crypto/ecc/bn254/fp" + frbn254 "github.com/consensys/gnark-crypto/ecc/bn254/fr" "github.com/consensys/gnark/backend" "github.com/consensys/gnark/frontend" fiatshamir "github.com/consensys/gnark/std/fiat-shamir" "github.com/consensys/gnark/std/math/emulated" "github.com/consensys/gnark/std/math/emulated/emparams" + "github.com/consensys/gnark/std/math/polynomial" "github.com/consensys/gnark/std/recursion" "github.com/consensys/gnark/std/recursion/gkr/utils" "github.com/consensys/gnark/std/recursion/sumcheck" @@ -30,7 +34,7 @@ var Gates = map[string]Gate{ func TestGkrVectorsEmulated(t *testing.T) { current := ecc.BN254.ScalarField() - var fr emparams.BN254Fp + var fp emparams.BN254Fp testDirPath := "./test_vectors" dirEntries, err := os.ReadDir(testDirPath) if err != nil { @@ -41,7 +45,7 @@ func TestGkrVectorsEmulated(t *testing.T) { path := filepath.Join(testDirPath, dirEntry.Name()) noExt := dirEntry.Name()[:len(dirEntry.Name())-len(".json")] - t.Run(noExt+"_prover", generateTestProver(path, *current, *fr.Modulus())) + t.Run(noExt+"_prover", generateTestProver(path, *current, *fp.Modulus())) t.Run(noExt+"_verifier", generateTestVerifier[emparams.BN254Fp](path)) } } @@ -53,17 +57,8 @@ func proofEquals(expected NativeProofs, seen NativeProofs) error { } for i, x := range expected { xSeen := seen[i] - + // todo: REMOVE GKR PROOF ABSTRACTION FROM PROOFEQUALS xfinalEvalProofSeen := xSeen.FinalEvalProof - switch finalEvalProof := xfinalEvalProofSeen.(type) { - case nil: - xfinalEvalProofSeen = sumcheck.NativeDeferredEvalProof([]big.Int{}) - case []big.Int: - xfinalEvalProofSeen = sumcheck.NativeDeferredEvalProof(finalEvalProof) - default: - return fmt.Errorf("finalEvalProof is not of type DeferredEvalProof") - } - if xSeen.FinalEvalProof == nil { if seenFinalEval := x.FinalEvalProof.(sumcheck.NativeDeferredEvalProof); len(seenFinalEval) != 0 { return fmt.Errorf("length mismatch %d ≠ %d", 0, len(seenFinalEval)) @@ -609,3 +604,365 @@ func newTestCase(path string, target big.Int) (*TestCase, error) { return tCase.(*TestCase), nil } + +type ProjAddGkrVerifierCircuit[FR emulated.FieldParams] struct { + Circuit CircuitEmulated[FR] + Input [][]emulated.Element[FR] + Output [][]emulated.Element[FR] `gnark:",public"` + SerializedProof []emulated.Element[FR] +} + +func (c *ProjAddGkrVerifierCircuit[FR]) Define(api frontend.API) error { + var fr FR + var proof Proofs[FR] + var err error + + v, err := NewGKRVerifier[FR](api) + if err != nil { + return fmt.Errorf("new verifier: %w", err) + } + + sorted := topologicalSortEmulated(c.Circuit) + + if proof, err = DeserializeProof(sorted, c.SerializedProof); err != nil { + return err + } + assignment := makeInOutAssignment(c.Circuit, c.Input, c.Output) + + // initiating hash in bitmode, since bn254 basefield is bigger than scalarfield + hsh, err := recursion.NewHash(api, fr.Modulus(), true) + if err != nil { + return err + } + + return v.Verify(api, c.Circuit, assignment, proof, fiatshamir.WithHashFr[FR](hsh)) +} + +func testDblAddSelectGKRInstance[FR emulated.FieldParams](t *testing.T, current *big.Int, target *big.Int, inputs [][]*big.Int, outputs [][]*big.Int) { + folding := []*big.Int{ + big.NewInt(1), + big.NewInt(2), + big.NewInt(3), + big.NewInt(4), + big.NewInt(5), + big.NewInt(6), + } + c := make(Circuit, 8) + // c[8] = Wire{ + // Gate: sumcheck.DblAddSelectGate[*sumcheck.BigIntEngine, *big.Int]{Folding: folding}, + // Inputs: []*Wire{&c[7]}, + // } + // check rlc of inputs to second layer is equal to output + c[7] = Wire{ + Gate: sumcheck.DblAddSelectGate[*sumcheck.BigIntEngine, *big.Int]{Folding: folding}, + Inputs: []*Wire{&c[0], &c[1], &c[2], &c[3], &c[4], &c[5], &c[6]}, + } + + res := make([]*big.Int, len(inputs[0])) + for i := 0; i < len(inputs[0]); i++ { + res[i] = c[7].Gate.Evaluate(sumcheck.NewBigIntEngine(target), inputs[0][i], inputs[1][i], inputs[2][i], inputs[3][i], inputs[4][i], inputs[5][i], inputs[6][i]) + } + fmt.Println("res", res) + + foldingEmulated := make([]emulated.Element[FR], len(folding)) + for i, f := range folding { + foldingEmulated[i] = emulated.ValueOf[FR](f) + } + cEmulated := make(CircuitEmulated[FR], len(c)) + cEmulated[7] = WireEmulated[FR]{ + Gate: sumcheck.DblAddSelectGate[*sumcheck.EmuEngine[FR], *emulated.Element[FR]]{ + Folding: polynomial.FromSlice(foldingEmulated), + }, + Inputs: []*WireEmulated[FR]{&cEmulated[0], &cEmulated[1], &cEmulated[2], &cEmulated[3], &cEmulated[4], &cEmulated[5], &cEmulated[6]}, + } + + assert := test.NewAssert(t) + + hash, err := recursion.NewShort(current, target) + if err != nil { + t.Errorf("new short hash: %v", err) + return + } + t.Log("Evaluating all circuit wires") + + fullAssignment := make(WireAssignment) + inOutAssignment := make(WireAssignment) + + sorted := topologicalSort(c) + + inI, outI := 0, 0 + for _, w := range sorted { + var assignmentRaw []*big.Int + if w.IsInput() { + if inI == len(inputs) { + t.Errorf("fewer input in vector than in circuit") + return + } + assignmentRaw = inputs[inI] + inI++ + } else if w.IsOutput() { + if outI == len(outputs) { + t.Errorf("fewer output in vector than in circuit") + return + } + assignmentRaw = outputs[outI] + outI++ + } + + if assignmentRaw != nil { + var wireAssignment []big.Int + wireAssignment, err := utils.SliceToBigIntSlice(assignmentRaw) + assert.NoError(err) + fullAssignment[w] = sumcheck.NativeMultilinear(utils.ConvertToBigIntSlice(wireAssignment)) + inOutAssignment[w] = sumcheck.NativeMultilinear(utils.ConvertToBigIntSlice(wireAssignment)) + } + } + + fullAssignment.Complete(c, target) + + for _, w := range sorted { + if w.IsOutput() { + + if err = utils.SliceEqualsBigInt(sumcheck.DereferenceBigIntSlice(inOutAssignment[w]), sumcheck.DereferenceBigIntSlice(fullAssignment[w])); err != nil { + t.Errorf("assignment mismatch: %v", err) + } + + } + } + + t.Log("Circuit evaluation complete") + proof, err := Prove(current, target, c, fullAssignment, fiatshamir.WithHashBigInt(hash)) + assert.NoError(err) + t.Log("Proof complete") + + proofEmulated := make(Proofs[FR], len(proof)) + for i, proof := range proof { + proofEmulated[i] = sumcheck.ValueOfProof[FR](proof) + } + + validCircuit := &ProjAddGkrVerifierCircuit[FR]{ + Circuit: cEmulated, + Input: make([][]emulated.Element[FR], len(inputs)), + Output: make([][]emulated.Element[FR], len(outputs)), + SerializedProof: proofEmulated.Serialize(), + } + + validAssignment := &ProjAddGkrVerifierCircuit[FR]{ + Circuit: cEmulated, + Input: make([][]emulated.Element[FR], len(inputs)), + Output: make([][]emulated.Element[FR], len(outputs)), + SerializedProof: proofEmulated.Serialize(), + } + + for i := range inputs { + validCircuit.Input[i] = make([]emulated.Element[FR], len(inputs[i])) + validAssignment.Input[i] = make([]emulated.Element[FR], len(inputs[i])) + for j := range inputs[i] { + validAssignment.Input[i][j] = emulated.ValueOf[FR](inputs[i][j]) + } + } + + for i := range outputs { + validCircuit.Output[i] = make([]emulated.Element[FR], len(outputs[i])) + validAssignment.Output[i] = make([]emulated.Element[FR], len(outputs[i])) + for j := range outputs[i] { + validAssignment.Output[i][j] = emulated.ValueOf[FR](outputs[i][j]) + } + } + + err = test.IsSolved(validCircuit, validAssignment, current) + assert.NoError(err) +} + +func ElementToBigInt(element fpbn254.Element) *big.Int { + var temp big.Int + return element.BigInt(&temp) +} + +func TestProjDblAddSelectGKR(t *testing.T) { + var P bn254.G1Affine + var Q bn254.G1Affine + var U bn254.G1Affine + var one fpbn254.Element + one.SetOne() + var zero fpbn254.Element + zero.SetZero() + + var s frbn254.Element + s.SetOne() + var r frbn254.Element + r.SetOne() + P.ScalarMultiplicationBase(s.BigInt(new(big.Int))) + Q.ScalarMultiplicationBase(r.BigInt(new(big.Int))) + U.Add(&P, &Q) + + result, err := new(big.Int).SetString("21888242871839275222246405745257275088696311157297823662689037894645226206973", 10) + if !err { + panic("error result") + } + + var fp emparams.BN254Fp + testDblAddSelectGKRInstance[emparams.BN254Fp](t, ecc.BN254.ScalarField(), fp.Modulus(), [][]*big.Int{{ElementToBigInt(P.X), ElementToBigInt(P.X)}, {ElementToBigInt(P.Y), ElementToBigInt(P.Y)}, {ElementToBigInt(one), ElementToBigInt(one)}, {ElementToBigInt(zero), ElementToBigInt(zero)}, {ElementToBigInt(one), ElementToBigInt(one)}, {ElementToBigInt(zero), ElementToBigInt(zero)}, {ElementToBigInt(one), ElementToBigInt(one)}}, [][]*big.Int{{result, result}}) +} + +func testMultipleDblAddSelectGKRInstance[FR emulated.FieldParams](t *testing.T, current *big.Int, target *big.Int, inputs [][]*big.Int, outputs [][]*big.Int) { + folding := []*big.Int{ + big.NewInt(1), + big.NewInt(2), + big.NewInt(3), + big.NewInt(4), + big.NewInt(5), + big.NewInt(6), + } + c := make(Circuit, 9) + c[8] = Wire{ + Gate: sumcheck.DblAddSelectGate[*sumcheck.BigIntEngine, *big.Int]{Folding: folding}, + Inputs: []*Wire{&c[7]}, + } + // check rlc of inputs to second layer is equal to output + c[7] = Wire{ + Gate: sumcheck.DblAddSelectGate[*sumcheck.BigIntEngine, *big.Int]{Folding: folding}, + Inputs: []*Wire{&c[0], &c[1], &c[2], &c[3], &c[4], &c[5], &c[6]}, + } + + res := make([]*big.Int, len(inputs[0])) + for i := 0; i < len(inputs[0]); i++ { + res[i] = c[7].Gate.Evaluate(sumcheck.NewBigIntEngine(target), inputs[0][i], inputs[1][i], inputs[2][i], inputs[3][i], inputs[4][i], inputs[5][i], inputs[6][i]) + } + fmt.Println("res", res) + + foldingEmulated := make([]emulated.Element[FR], len(folding)) + for i, f := range folding { + foldingEmulated[i] = emulated.ValueOf[FR](f) + } + cEmulated := make(CircuitEmulated[FR], len(c)) + cEmulated[7] = WireEmulated[FR]{ + Gate: sumcheck.DblAddSelectGate[*sumcheck.EmuEngine[FR], *emulated.Element[FR]]{ + Folding: polynomial.FromSlice(foldingEmulated), + }, + Inputs: []*WireEmulated[FR]{&cEmulated[0], &cEmulated[1], &cEmulated[2], &cEmulated[3], &cEmulated[4], &cEmulated[5], &cEmulated[6]}, + } + + assert := test.NewAssert(t) + + hash, err := recursion.NewShort(current, target) + if err != nil { + t.Errorf("new short hash: %v", err) + return + } + t.Log("Evaluating all circuit wires") + + fullAssignment := make(WireAssignment) + inOutAssignment := make(WireAssignment) + + sorted := topologicalSort(c) + + inI, outI := 0, 0 + for _, w := range sorted { + var assignmentRaw []*big.Int + if w.IsInput() { + if inI == len(inputs) { + t.Errorf("fewer input in vector than in circuit") + return + } + assignmentRaw = inputs[inI] + inI++ + } else if w.IsOutput() { + if outI == len(outputs) { + t.Errorf("fewer output in vector than in circuit") + return + } + assignmentRaw = outputs[outI] + outI++ + } + + if assignmentRaw != nil { + var wireAssignment []big.Int + wireAssignment, err := utils.SliceToBigIntSlice(assignmentRaw) + assert.NoError(err) + fullAssignment[w] = sumcheck.NativeMultilinear(utils.ConvertToBigIntSlice(wireAssignment)) + inOutAssignment[w] = sumcheck.NativeMultilinear(utils.ConvertToBigIntSlice(wireAssignment)) + } + } + + fullAssignment.Complete(c, target) + + for _, w := range sorted { + if w.IsOutput() { + + if err = utils.SliceEqualsBigInt(sumcheck.DereferenceBigIntSlice(inOutAssignment[w]), sumcheck.DereferenceBigIntSlice(fullAssignment[w])); err != nil { + t.Errorf("assignment mismatch: %v", err) + } + + } + } + + t.Log("Circuit evaluation complete") + proof, err := Prove(current, target, c, fullAssignment, fiatshamir.WithHashBigInt(hash)) + assert.NoError(err) + t.Log("Proof complete") + + proofEmulated := make(Proofs[FR], len(proof)) + for i, proof := range proof { + proofEmulated[i] = sumcheck.ValueOfProof[FR](proof) + } + + validCircuit := &ProjAddGkrVerifierCircuit[FR]{ + Circuit: cEmulated, + Input: make([][]emulated.Element[FR], len(inputs)), + Output: make([][]emulated.Element[FR], len(outputs)), + SerializedProof: proofEmulated.Serialize(), + } + + validAssignment := &ProjAddGkrVerifierCircuit[FR]{ + Circuit: cEmulated, + Input: make([][]emulated.Element[FR], len(inputs)), + Output: make([][]emulated.Element[FR], len(outputs)), + SerializedProof: proofEmulated.Serialize(), + } + + for i := range inputs { + validCircuit.Input[i] = make([]emulated.Element[FR], len(inputs[i])) + validAssignment.Input[i] = make([]emulated.Element[FR], len(inputs[i])) + for j := range inputs[i] { + validAssignment.Input[i][j] = emulated.ValueOf[FR](inputs[i][j]) + } + } + + for i := range outputs { + validCircuit.Output[i] = make([]emulated.Element[FR], len(outputs[i])) + validAssignment.Output[i] = make([]emulated.Element[FR], len(outputs[i])) + for j := range outputs[i] { + validAssignment.Output[i][j] = emulated.ValueOf[FR](outputs[i][j]) + } + } + + err = test.IsSolved(validCircuit, validAssignment, current) + assert.NoError(err) +} + +func TestMultipleDblAddSelectGKR(t *testing.T) { + var P bn254.G1Affine + var Q bn254.G1Affine + var U bn254.G1Affine + var one fpbn254.Element + one.SetOne() + var zero fpbn254.Element + zero.SetZero() + + var s frbn254.Element + s.SetOne() + var r frbn254.Element + r.SetOne() + P.ScalarMultiplicationBase(s.BigInt(new(big.Int))) + Q.ScalarMultiplicationBase(r.BigInt(new(big.Int))) + U.Add(&P, &Q) + + result, err := new(big.Int).SetString("21888242871839275222246405745257275088696311157297823662689037894645226206973", 10) + if !err { + panic("error result") + } + + var fp emparams.BN254Fp + testMultipleDblAddSelectGKRInstance[emparams.BN254Fp](t, ecc.BN254.ScalarField(), fp.Modulus(), [][]*big.Int{{ElementToBigInt(P.X), ElementToBigInt(P.X)}, {ElementToBigInt(P.Y), ElementToBigInt(P.Y)}, {ElementToBigInt(one), ElementToBigInt(one)}, {ElementToBigInt(zero), ElementToBigInt(zero)}, {ElementToBigInt(one), ElementToBigInt(one)}, {ElementToBigInt(zero), ElementToBigInt(zero)}, {ElementToBigInt(one), ElementToBigInt(one)}}, [][]*big.Int{{result, result}}) +} \ No newline at end of file diff --git a/std/recursion/gkr/scalar_mul.go b/std/recursion/gkr/scalar_mul.go deleted file mode 100644 index 58aed8fa32..0000000000 --- a/std/recursion/gkr/scalar_mul.go +++ /dev/null @@ -1,126 +0,0 @@ -package gkr - -import ( - //"fmt" - //gohash "hash" - "math/big" - "testing" - - //fiatshamir "github.com/consensys/gnark/std/fiat-shamir" - "github.com/consensys/gnark/std/math/emulated" - //"github.com/consensys/gnark/std/recursion/gkr/utils" - "github.com/consensys/gnark/std/recursion/sumcheck" - //"github.com/consensys/gnark/test" -) - -func testProjDblAddSelectGKRInstance[FR emulated.FieldParams](t *testing.T, current *big.Int, target *big.Int, inputs [][]int) { - //var fr FR - c := make(Circuit, 3) - c[1] = Wire{ - Gate: sumcheck.DblAddSelectGate[*sumcheck.BigIntEngine, *big.Int]{ - Folding: []*big.Int{ - big.NewInt(1), - big.NewInt(2), - big.NewInt(3), - big.NewInt(4), - big.NewInt(5), - big.NewInt(6), - }, - }, - Inputs: []*Wire{&c[0]}, - } - - // val1 := emulated.ValueOf[FR](1) - // val2 := emulated.ValueOf[FR](2) - // val3 := emulated.ValueOf[FR](3) - // val4 := emulated.ValueOf[FR](4) - // val5 := emulated.ValueOf[FR](5) - // val6 := emulated.ValueOf[FR](6) - // cEmulated := make(CircuitEmulated[FR], len(c)) - // cEmulated[1] = WireEmulated[FR]{ - // Gate: sumcheck.DblAddSelectGate[*sumcheck.EmuEngine[FR], *emulated.Element[FR]]{ - // Folding: []*emulated.Element[FR]{ - // &val1, - // &val2, - // &val3, - // &val4, - // &val5, - // &val6, - // }, - // }, - // Inputs: []*WireEmulated[FR]{&cEmulated[0]}, - // } - - // assert := test.NewAssert(t) - // inputB := make([][]*big.Int, len(inputs)) - // for i := range inputB { - // inputB[i] = make([]*big.Int, len(inputs[i])) - // for j := range inputs[i] { - // inputB[i][j] = big.NewInt(int64(inputs[i][j])) - // } - // } - - // var hash gohash.Hash - // hash, err := utils.HashFromDescription(map[string]interface{}{ - // "hash": map[string]interface{}{ - // "type": "const", - // "val": -1, - // }, - // }) - // assert.NoError(err) - - // t.Log("Evaluating all circuit wires") - // assignment := WireAssignment{&c[0]: inputAssignments[0], &c[1]: inputAssignments[1]}.Complete(c, target) - // t.Log("Circuit evaluation complete") - // proof, err := Prove(current, target, c, assignment, fiatshamir.WithHashBigInt(hash)) - // assert.NoError(err) - // fmt.Println(proof) - // //assert.NoError(proofEquals(testCase.Proof, proof)) - - // t.Log("Proof complete") - - // evalPointsB, evalPointsPH, evalPointsC := getChallengeEvaluationPoints[FR](inputB) - // claim, evals, err := newNativeGate(fr.Modulus(), nativeGate, inputB, evalPointsB) - // assert.NoError(err) - // proof, err := Prove(current, fr.Modulus(), claim) - // assert.NoError(err) - // nbVars := bits.Len(uint(len(inputs[0]))) - 1 - // circuit := &ProjDblAddSelectSumcheckCircuit[FR]{ - // Inputs: make([][]emulated.Element[FR], len(inputs)), - // Proof: placeholderGateProof[FR](nbVars, nativeGate.Degree()), - // EvaluationPoints: evalPointsPH, - // Claimed: make([]emulated.Element[FR], 1), - // } - // assignment := &ProjDblAddSelectSumcheckCircuit[FR]{ - // Inputs: make([][]emulated.Element[FR], len(inputs)), - // Proof: ValueOfProof[FR](proof), - // EvaluationPoints: evalPointsC, - // Claimed: []emulated.Element[FR]{emulated.ValueOf[FR](evals[0])}, - // } - // for i := range inputs { - // circuit.Inputs[i] = make([]emulated.Element[FR], len(inputs[i])) - // assignment.Inputs[i] = make([]emulated.Element[FR], len(inputs[i])) - // for j := range inputs[i] { - // assignment.Inputs[i][j] = emulated.ValueOf[FR](inputs[i][j]) - // } - // } - // err = test.IsSolved(circuit, assignment, current) - // assert.NoError(err) -} - -// func TestProjDblAddSelectSumCheckSumcheck(t *testing.T) { -// // testProjDblAddSelectSumCheckInstance[emparams.BN254Fr](t, ecc.BN254.ScalarField(), [][]int{{4, 3}, {2, 3}, {3, 6}, {4, 9}, {13, 3}, {31, 9}}) -// // testProjDblAddSelectSumCheckInstance[emparams.BN254Fr](t, ecc.BN254.ScalarField(), [][]int{{1, 2, 3, 4}, {5, 6, 7, 8}}) -// // testProjDblAddSelectSumCheckInstance[emparams.BN254Fr](t, ecc.BN254.ScalarField(), [][]int{{1, 2, 3, 4, 5, 6, 7, 8}, {11, 12, 13, 14, 15, 16, 17, 18}}) -// inputs := [][]int{{0}, {1}, {2}, {3}, {4}, {5}, {6}} -// for i := 1; i < (1 << 14); i++ { -// inputs[0] = append(inputs[0], (inputs[0][i-1]-1)*(inputs[0][i-1]-1)) -// inputs[1] = append(inputs[1], (inputs[0][i-1]+1)*2) -// inputs[2] = append(inputs[2], (inputs[1][i-1]+2)*7) -// inputs[3] = append(inputs[3], (inputs[2][i-1]+3)*6) -// inputs[4] = append(inputs[4], (inputs[3][i-1]+4)*5) -// inputs[5] = append(inputs[5], (inputs[4][i-1]+5)*4) -// inputs[6] = append(inputs[6], (inputs[5][i-1]+6)*3) -// } -// testProjDblAddSelectSumCheckInstance[emparams.BN254Fr](t, ecc.BN254.ScalarField(), inputs) -// } diff --git a/std/recursion/gkr/utils/util.go b/std/recursion/gkr/utils/util.go index fde31ffee9..c7a9399d1d 100644 --- a/std/recursion/gkr/utils/util.go +++ b/std/recursion/gkr/utils/util.go @@ -16,6 +16,8 @@ func SliceToBigIntSlice[T any](slice []T) ([]big.Int, error) { elementSlice := make([]big.Int, len(slice)) for i, v := range slice { switch v := any(v).(type) { + case *big.Int: + elementSlice[i] = *v case float64: elementSlice[i] = *big.NewInt(int64(v)) default: diff --git a/std/recursion/sumcheck/fullscalarmul_test.go b/std/recursion/sumcheck/fullscalarmul_test.go new file mode 100644 index 0000000000..2bc4052f58 --- /dev/null +++ b/std/recursion/sumcheck/fullscalarmul_test.go @@ -0,0 +1,184 @@ +package sumcheck + +import ( + "crypto/rand" + "fmt" + "math/big" + "testing" + + "github.com/consensys/gnark-crypto/ecc" + "github.com/consensys/gnark-crypto/ecc/secp256k1" + fr_secp256k1 "github.com/consensys/gnark-crypto/ecc/secp256k1/fr" + + "github.com/consensys/gnark/frontend" + "github.com/consensys/gnark/std/algebra/emulated/sw_emulated" + "github.com/consensys/gnark/std/math/emulated" + "github.com/consensys/gnark/std/math/emulated/emparams" + "github.com/consensys/gnark/test" +) + +type ScalarMulCircuit[Base, Scalars emulated.FieldParams] struct { + Points []sw_emulated.AffinePoint[Base] + Scalars []emulated.Element[Scalars] + + nbScalarBits int +} + +func (c *ScalarMulCircuit[B, S]) Define(api frontend.API) error { + if len(c.Points) != len(c.Scalars) { + return fmt.Errorf("len(inputs) != len(scalars)") + } + baseApi, err := emulated.NewField[B](api) + if err != nil { + return fmt.Errorf("new base field: %w", err) + } + scalarApi, err := emulated.NewField[S](api) + if err != nil { + return fmt.Errorf("new scalar field: %w", err) + } + for i := range c.Points { + step, err := callHintScalarMulSteps[B, S](api, baseApi, scalarApi, c.nbScalarBits, c.Points[i], c.Scalars[i]) + if err != nil { + return fmt.Errorf("hint scalar mul steps: %w", err) + } + _ = step + } + return nil +} + +func callHintScalarMulSteps[B, S emulated.FieldParams](api frontend.API, + baseApi *emulated.Field[B], scalarApi *emulated.Field[S], + nbScalarBits int, + point sw_emulated.AffinePoint[B], scalar emulated.Element[S]) ([][6]*emulated.Element[B], error) { + var fp B + var fr S + inputs := []frontend.Variable{fp.BitsPerLimb(), fp.NbLimbs()} + inputs = append(inputs, baseApi.Modulus().Limbs...) + inputs = append(inputs, point.X.Limbs...) + inputs = append(inputs, point.Y.Limbs...) + inputs = append(inputs, fr.BitsPerLimb(), fr.NbLimbs()) + inputs = append(inputs, scalarApi.Modulus().Limbs...) + inputs = append(inputs, scalar.Limbs...) + nbRes := nbScalarBits * int(fp.NbLimbs()) * 6 + hintRes, err := api.Compiler().NewHint(hintScalarMulSteps, nbRes, inputs...) + if err != nil { + return nil, fmt.Errorf("new hint: %w", err) + } + res := make([][6]*emulated.Element[B], nbScalarBits) + for i := range res { + for j := 0; j < 6; j++ { + limbs := hintRes[i*(6*int(fp.NbLimbs()))+j*int(fp.NbLimbs()) : i*(6*int(fp.NbLimbs()))+(j+1)*int(fp.NbLimbs())] + res[i][j] = baseApi.NewElement(limbs) + } + } + return res, nil +} + +func hintScalarMulSteps(mod *big.Int, inputs []*big.Int, outputs []*big.Int) error { + nbBits := int(inputs[0].Int64()) + nbLimbs := int(inputs[1].Int64()) + fpLimbs := inputs[2 : 2+nbLimbs] + xLimbs := inputs[2+nbLimbs : 2+2*nbLimbs] + yLimbs := inputs[2+2*nbLimbs : 2+3*nbLimbs] + nbScalarBits := int(inputs[2+3*nbLimbs].Int64()) + nbScalarLimbs := int(inputs[3+3*nbLimbs].Int64()) + frLimbs := inputs[4+3*nbLimbs : 4+3*nbLimbs+nbScalarLimbs] + scalarLimbs := inputs[4+3*nbLimbs+nbScalarLimbs : 4+3*nbLimbs+2*nbScalarLimbs] + + x := new(big.Int) + y := new(big.Int) + fp := new(big.Int) + fr := new(big.Int) + scalar := new(big.Int) + if err := recompose(fpLimbs, uint(nbBits), fp); err != nil { + return fmt.Errorf("recompose fp: %w", err) + } + if err := recompose(frLimbs, uint(nbScalarBits), fr); err != nil { + return fmt.Errorf("recompose fr: %w", err) + } + if err := recompose(xLimbs, uint(nbBits), x); err != nil { + return fmt.Errorf("recompose x: %w", err) + } + if err := recompose(yLimbs, uint(nbBits), y); err != nil { + return fmt.Errorf("recompose y: %w", err) + } + if err := recompose(scalarLimbs, uint(nbScalarBits), scalar); err != nil { + return fmt.Errorf("recompose scalar: %w", err) + } + fmt.Println(fp, fr, x, y, scalar) + + scalarLength := len(outputs) / (6 * nbLimbs) + println("scalarLength", scalarLength) + return nil +} + +func recompose(inputs []*big.Int, nbBits uint, res *big.Int) error { + if len(inputs) == 0 { + return fmt.Errorf("zero length slice input") + } + if res == nil { + return fmt.Errorf("result not initialized") + } + res.SetUint64(0) + for i := range inputs { + res.Lsh(res, nbBits) + res.Add(res, inputs[len(inputs)-i-1]) + } + // TODO @gbotrel mod reduce ? + return nil +} + +func decompose(input *big.Int, nbBits uint, res []*big.Int) error { + // limb modulus + if input.BitLen() > len(res)*int(nbBits) { + return fmt.Errorf("decomposed integer does not fit into res") + } + for _, r := range res { + if r == nil { + return fmt.Errorf("result slice element uninitalized") + } + } + base := new(big.Int).Lsh(big.NewInt(1), nbBits) + tmp := new(big.Int).Set(input) + for i := 0; i < len(res); i++ { + res[i].Mod(tmp, base) + tmp.Rsh(tmp, nbBits) + } + return nil +} + +func TestScalarMul(t *testing.T) { + assert := test.NewAssert(t) + type B = emparams.Secp256k1Fp + type S = emparams.Secp256k1Fr + t.Log(B{}.Modulus(), S{}.Modulus()) + var P secp256k1.G1Affine + var s fr_secp256k1.Element + nbInputs := 1 << 0 + nbScalarBits := 2 + scalarBound := new(big.Int).Lsh(big.NewInt(1), uint(nbScalarBits)) + points := make([]sw_emulated.AffinePoint[B], nbInputs) + scalars := make([]emulated.Element[S], nbInputs) + for i := range points { + s.SetRandom() + P.ScalarMultiplicationBase(s.BigInt(new(big.Int))) + sc, _ := rand.Int(rand.Reader, scalarBound) + t.Log(P.X.String(), P.Y.String(), sc.String()) + points[i] = sw_emulated.AffinePoint[B]{ + X: emulated.ValueOf[B](P.X), + Y: emulated.ValueOf[B](P.Y), + } + scalars[i] = emulated.ValueOf[S](sc) + } + circuit := ScalarMulCircuit[B, S]{ + Points: make([]sw_emulated.AffinePoint[B], nbInputs), + Scalars: make([]emulated.Element[S], nbInputs), + nbScalarBits: nbScalarBits, + } + witness := ScalarMulCircuit[B, S]{ + Points: points, + Scalars: scalars, + } + err := test.IsSolved(&circuit, &witness, ecc.BLS12_377.ScalarField()) + assert.NoError(err) +} \ No newline at end of file diff --git a/std/recursion/sumcheck/scalarmul_gates.go b/std/recursion/sumcheck/scalarmul_gates.go index 833e522923..71ef0207e8 100644 --- a/std/recursion/sumcheck/scalarmul_gates.go +++ b/std/recursion/sumcheck/scalarmul_gates.go @@ -14,13 +14,13 @@ import ( "github.com/consensys/gnark/test" ) -type projAddGate[AE ArithEngine[E], E element] struct { +type ProjAddGate[AE ArithEngine[E], E element] struct { Folding E } -func (m projAddGate[AE, E]) NbInputs() int { return 6 } -func (m projAddGate[AE, E]) Degree() int { return 4 } -func (m projAddGate[AE, E]) Evaluate(api AE, vars ...E) E { +func (m ProjAddGate[AE, E]) NbInputs() int { return 6 } +func (m ProjAddGate[AE, E]) Degree() int { return 4 } +func (m ProjAddGate[AE, E]) Evaluate(api AE, vars ...E) E { if len(vars) != m.NbInputs() { panic("incorrect nb of inputs") } @@ -102,7 +102,7 @@ func (c *ProjAddSumcheckCircuit[FR]) Define(api frontend.API) error { for i := range c.EvaluationPoints { evalPoints[i] = polynomial.FromSlice[FR](c.EvaluationPoints[i]) } - claim, err := newGate[FR](api, projAddGate[*EmuEngine[FR], *emulated.Element[FR]]{f.NewElement(123)}, inputs, evalPoints, claimedEvals) + claim, err := newGate[FR](api, ProjAddGate[*EmuEngine[FR], *emulated.Element[FR]]{f.NewElement(123)}, inputs, evalPoints, claimedEvals) if err != nil { return fmt.Errorf("new gate claim: %w", err) } @@ -114,7 +114,7 @@ func (c *ProjAddSumcheckCircuit[FR]) Define(api frontend.API) error { func testProjAddSumCheckInstance[FR emulated.FieldParams](t *testing.T, current *big.Int, inputs [][]int) { var fr FR - nativeGate := projAddGate[*BigIntEngine, *big.Int]{Folding: big.NewInt(123)} + nativeGate := ProjAddGate[*BigIntEngine, *big.Int]{Folding: big.NewInt(123)} assert := test.NewAssert(t) inputB := make([][]*big.Int, len(inputs)) for i := range inputB { From 800dcb3d6ccf8c721cca3b0c628040b091c60023 Mon Sep 17 00:00:00 2001 From: ak36 Date: Wed, 14 Aug 2024 20:48:48 -0400 Subject: [PATCH 26/26] cleanup --- std/recursion/gkr/gkr_nonnative_test.go | 13 +------------ 1 file changed, 1 insertion(+), 12 deletions(-) diff --git a/std/recursion/gkr/gkr_nonnative_test.go b/std/recursion/gkr/gkr_nonnative_test.go index a766172f6c..c1fd696e3a 100644 --- a/std/recursion/gkr/gkr_nonnative_test.go +++ b/std/recursion/gkr/gkr_nonnative_test.go @@ -648,11 +648,6 @@ func testDblAddSelectGKRInstance[FR emulated.FieldParams](t *testing.T, current big.NewInt(6), } c := make(Circuit, 8) - // c[8] = Wire{ - // Gate: sumcheck.DblAddSelectGate[*sumcheck.BigIntEngine, *big.Int]{Folding: folding}, - // Inputs: []*Wire{&c[7]}, - // } - // check rlc of inputs to second layer is equal to output c[7] = Wire{ Gate: sumcheck.DblAddSelectGate[*sumcheck.BigIntEngine, *big.Int]{Folding: folding}, Inputs: []*Wire{&c[0], &c[1], &c[2], &c[3], &c[4], &c[5], &c[6]}, @@ -662,7 +657,6 @@ func testDblAddSelectGKRInstance[FR emulated.FieldParams](t *testing.T, current for i := 0; i < len(inputs[0]); i++ { res[i] = c[7].Gate.Evaluate(sumcheck.NewBigIntEngine(target), inputs[0][i], inputs[1][i], inputs[2][i], inputs[3][i], inputs[4][i], inputs[5][i], inputs[6][i]) } - fmt.Println("res", res) foldingEmulated := make([]emulated.Element[FR], len(folding)) for i, f := range folding { @@ -722,7 +716,6 @@ func testDblAddSelectGKRInstance[FR emulated.FieldParams](t *testing.T, current for _, w := range sorted { if w.IsOutput() { - if err = utils.SliceEqualsBigInt(sumcheck.DereferenceBigIntSlice(inOutAssignment[w]), sumcheck.DereferenceBigIntSlice(fullAssignment[w])); err != nil { t.Errorf("assignment mismatch: %v", err) } @@ -814,11 +807,7 @@ func testMultipleDblAddSelectGKRInstance[FR emulated.FieldParams](t *testing.T, big.NewInt(5), big.NewInt(6), } - c := make(Circuit, 9) - c[8] = Wire{ - Gate: sumcheck.DblAddSelectGate[*sumcheck.BigIntEngine, *big.Int]{Folding: folding}, - Inputs: []*Wire{&c[7]}, - } + c := make(Circuit, 8) // check rlc of inputs to second layer is equal to output c[7] = Wire{ Gate: sumcheck.DblAddSelectGate[*sumcheck.BigIntEngine, *big.Int]{Folding: folding},