Adapt proving methods onto SumcheckInstanceProof. Remove ZK proof struct.

Author: darth-cy

spartan_parallel/src/dense_mlpoly.rs

@@ -3,9 +3,9 @@ use crate::scalar::SpartanExtensionField;
 
 use super::errors::ProofVerifyError;
 use super::math::Math;
-use super::nizk::DotProductProofLog;
 use super::random::RandomTape;
 use super::transcript::ProofTranscript;
+use super::unipoly::CompressedUniPoly;
 use core::ops::Index;
 use merlin::Transcript;
 use serde::{Deserialize, Serialize};
@@ -309,9 +309,9 @@ impl<S: SpartanExtensionField> Index<usize> for DensePolynomial<S> {
   }
 }
 
-#[derive(Clone, Debug, Serialize, Deserialize)]
+#[derive(Debug, Serialize, Deserialize)]
 pub struct PolyEvalProof<S: SpartanExtensionField> {
-  proof: DotProductProofLog<S>,
+  polys: Vec<CompressedUniPoly<S>>,
 }
 
 impl<S: SpartanExtensionField> PolyEvalProof<S> {

spartan_parallel/src/r1csproof.rs

@@ -3,10 +3,9 @@ use super::custom_dense_mlpoly::DensePolynomialPqx;
 use super::dense_mlpoly::{DensePolynomial, EqPolynomial, PolyEvalProof};
 use super::errors::ProofVerifyError;
 use super::math::Math;
-use super::nizk::{EqualityProof, KnowledgeProof, ProductProof};
 use super::r1csinstance::R1CSInstance;
 use super::random::RandomTape;
-use super::sumcheck::R1CSSumcheckInstanceProof;
+use super::sumcheck::SumcheckInstanceProof;
 use super::timer::Timer;
 use super::transcript::ProofTranscript;
 use crate::scalar::SpartanExtensionField;
@@ -17,8 +16,8 @@ use std::cmp::min;
 
 #[derive(Serialize, Deserialize, Debug)]
 pub struct R1CSProof<S: SpartanExtensionField> {
-  sc_proof_phase1: R1CSSumcheckInstanceProof<S>,
-  sc_proof_phase2: R1CSSumcheckInstanceProof<S>,
+  sc_proof_phase1: SumcheckInstanceProof<S>,
+  sc_proof_phase2: SumcheckInstanceProof<S>,
   pok_claims_phase2: (KnowledgeProof<S>, ProductProof<S>),
   proof_eq_sc_phase1: EqualityProof<S>,
   proof_eq_sc_phase2: EqualityProof<S>,
@@ -41,13 +40,13 @@ impl<S: SpartanExtensionField> R1CSProof<S> {
     evals_Cz: &mut DensePolynomialPqx<S>,
     transcript: &mut Transcript,
     random_tape: &mut RandomTape<S>,
-  ) -> (R1CSSumcheckInstanceProof<S>, Vec<S>, Vec<S>) {
+  ) -> (SumcheckInstanceProof<S>, Vec<S>, Vec<S>) {
     let comb_func = |poly_A_comp: &S, poly_B_comp: &S, poly_C_comp: &S, poly_D_comp: &S| -> S {
       *poly_A_comp * (*poly_B_comp * *poly_C_comp - *poly_D_comp)
     };
 
     let (sc_proof_phase_one, r, claims) =
-      R1CSSumcheckInstanceProof::<S>::prove_cubic_with_additive_term_disjoint_rounds(
+      SumcheckInstanceProof::<S>::prove_cubic_with_additive_term_disjoint_rounds(
         &S::field_zero(), // claim is zero
         num_rounds,
         num_rounds_x_max,
@@ -83,12 +82,12 @@ impl<S: SpartanExtensionField> R1CSProof<S> {
     evals_z: &mut DensePolynomialPqx<S>,
     transcript: &mut Transcript,
     random_tape: &mut RandomTape<S>,
-  ) -> (R1CSSumcheckInstanceProof<S>, Vec<S>, Vec<S>) {
+  ) -> (SumcheckInstanceProof<S>, Vec<S>, Vec<S>) {
     let comb_func = |poly_A_comp: &S, poly_B_comp: &S, poly_C_comp: &S| -> S {
       *poly_A_comp * *poly_B_comp * *poly_C_comp
     };
     let (sc_proof_phase_two, r, claims) =
-      R1CSSumcheckInstanceProof::<S>::prove_cubic_disjoint_rounds(
+      SumcheckInstanceProof::<S>::prove_cubic_disjoint_rounds(
         claim,
         num_rounds,
         num_rounds_y_max,
@@ -102,7 +101,6 @@ impl<S: SpartanExtensionField> R1CSProof<S> {
         evals_z,
         comb_func,
         transcript,
-        random_tape,
       );
 
     (sc_proof_phase_two, r, claims)

spartan_parallel/src/sumcheck.rs

@@ -6,7 +6,6 @@ use crate::scalar::SpartanExtensionField;
 
 use super::dense_mlpoly::DensePolynomial;
 use super::errors::ProofVerifyError;
-use super::nizk::DotProductProof;
 use super::random::RandomTape;
 use super::transcript::{AppendToTranscript, ProofTranscript};
 use super::unipoly::{CompressedUniPoly, UniPoly};
@@ -70,67 +69,6 @@ impl<S: SpartanExtensionField> SumcheckInstanceProof<S> {
   }
 }
 
-#[derive(Serialize, Deserialize, Debug)]
-pub struct R1CSSumcheckInstanceProof<S: SpartanExtensionField> {
-  proofs: Vec<DotProductProof<S>>,
-}
-
-impl<S: SpartanExtensionField> R1CSSumcheckInstanceProof<S> {
-  pub fn new(proofs: Vec<DotProductProof<S>>) -> Self {
-    R1CSSumcheckInstanceProof { proofs }
-  }
-
-  pub fn verify(
-    &self,
-    num_rounds: usize,
-    degree_bound: usize,
-    transcript: &mut Transcript,
-  ) -> Result<Vec<S>, ProofVerifyError> {
-    let mut r: Vec<S> = Vec::new();
-
-    for i in 0..num_rounds {
-      // derive the verifier's challenge for the next round
-      let r_i = transcript.challenge_scalar(b"challenge_nextround");
-
-      // verify the proof of sum-check and evals
-      let _res = {
-        // produce two weights
-        let w: Vec<S> = transcript.challenge_vector(b"combine_two_claims_to_one", 2);
-
-        let a = {
-          // the vector to use to decommit for sum-check test
-          let a_sc = {
-            let mut a = vec![S::field_one(); degree_bound + 1];
-            a[0] = a[0] + S::field_one();
-            a
-          };
-
-          // the vector to use to decommit for evaluation
-          let a_eval = {
-            let mut a = vec![S::field_one(); degree_bound + 1];
-            for j in 1..a.len() {
-              a[j] = a[j - 1] * r_i;
-            }
-            a
-          };
-
-          // take weighted sum of the two vectors using w
-          assert_eq!(a_sc.len(), a_eval.len());
-          (0..a_sc.len())
-            .map(|i| w[0] * a_sc[i] + w[1] * a_eval[i])
-            .collect::<Vec<S>>()
-        };
-
-        self.proofs[i].verify(transcript, &a).is_ok()
-      };
-
-      r.push(r_i);
-    }
-
-    Ok(r)
-  }
-}
-
 impl<S: SpartanExtensionField> SumcheckInstanceProof<S> {
   pub fn prove_cubic<F>(
     claim: &S,
@@ -379,9 +317,7 @@ impl<S: SpartanExtensionField> SumcheckInstanceProof<S> {
       claims_dotp,
     )
   }
-}
 
-impl<S: SpartanExtensionField> R1CSSumcheckInstanceProof<S> {
   pub fn prove_cubic_disjoint_rounds<F>(
     claim: &S,
     num_rounds: usize,
@@ -396,7 +332,6 @@ impl<S: SpartanExtensionField> R1CSSumcheckInstanceProof<S> {
     poly_C: &mut DensePolynomialPqx<S>,
     comb_func: F,
     transcript: &mut Transcript,
-    random_tape: &mut RandomTape<S>,
   ) -> (Self, Vec<S>, Vec<S>)
   where
     F: Fn(&S, &S, &S) -> S,
@@ -410,7 +345,7 @@ impl<S: SpartanExtensionField> R1CSSumcheckInstanceProof<S> {
     let mut claim_per_round = *claim;
 
     let mut r: Vec<S> = Vec::new();
-    let mut proofs: Vec<DotProductProof<S>> = Vec::new();
+    let mut cubic_polys: Vec<CompressedUniPoly<S>> = Vec::new();
 
     let mut inputs_len = num_rounds_y_max.pow2();
     let mut witness_secs_len = num_rounds_w.pow2();
@@ -540,8 +475,12 @@ impl<S: SpartanExtensionField> R1CSSumcheckInstanceProof<S> {
         poly
       };
 
+      // append the prover's message to the transcript
+      poly.append_to_transcript(b"poly", transcript);
+
       //derive the verifier's challenge for the next round
       let r_j = transcript.challenge_scalar(b"challenge_nextround");
+      r.push(r_j);
 
       // bound all tables to the verifier's challenege
       if mode == MODE_P {
@@ -552,61 +491,12 @@ impl<S: SpartanExtensionField> R1CSSumcheckInstanceProof<S> {
       }
       poly_C.bound_poly(&r_j, mode);
 
-      // produce a proof of sum-check and of evaluation
-      let (proof, claim_next_round) = {
-        let eval = poly.evaluate(&r_j);
-
-        // we need to prove the following under homomorphic commitments:
-        // (1) poly(0) + poly(1) = claim_per_round
-        // (2) poly(r_j) = eval
-
-        // Our technique is to leverage dot product proofs:
-        // (1) we can prove: <poly_in_coeffs_form, (2, 1, 1, 1)> = claim_per_round
-        // (2) we can prove: <poly_in_coeffs_form, (1, r_j, r^2_j, ..) = eval
-        // for efficiency we batch them using random weights
-
-        // produce two weights
-        let w: Vec<S> = transcript.challenge_vector(b"combine_two_claims_to_one", 2);
-
-        // compute a weighted sum of the RHS
-        let target = w[0] * claim_per_round + w[1] * eval;
-
-        let a = {
-          // the vector to use to decommit for sum-check test
-          let a_sc = {
-            let mut a = vec![S::field_one(); poly.degree() + 1];
-            a[0] = a[0] + S::field_one();
-            a
-          };
-
-          // the vector to use to decommit for evaluation
-          let a_eval = {
-            let mut a = vec![S::field_one(); poly.degree() + 1];
-            for j in 1..a.len() {
-              a[j] = a[j - 1] * r_j;
-            }
-            a
-          };
-
-          // take weighted sum of the two vectors using w
-          assert_eq!(a_sc.len(), a_eval.len());
-          (0..a_sc.len())
-            .map(|i| w[0] * a_sc[i] + w[1] * a_eval[i])
-            .collect::<Vec<S>>()
-        };
-
-        let proof = DotProductProof::prove(transcript, random_tape, &poly.as_vec(), &a, &target);
-
-        (proof, eval)
-      };
-
-      proofs.push(proof);
-      claim_per_round = claim_next_round;
-      r.push(r_j);
+      claim_per_round = poly.evaluate(&r_j);
+      cubic_polys.push(poly.compress());
     }
 
     (
-      R1CSSumcheckInstanceProof::new(proofs),
+      SumcheckInstanceProof::new(cubic_polys),
       r,
       vec![
         poly_A[0],
@@ -653,7 +543,7 @@ impl<S: SpartanExtensionField> R1CSSumcheckInstanceProof<S> {
     let mut claim_per_round = *claim;
 
     let mut r: Vec<S> = Vec::new();
-    let mut proofs: Vec<DotProductProof<S>> = Vec::new();
+    let mut cubic_polys: Vec<CompressedUniPoly<S>> = Vec::new();
 
     let mut cons_len = num_rounds_x_max.pow2();
     let mut proof_len = num_rounds_q_max.pow2();
@@ -798,8 +688,12 @@ impl<S: SpartanExtensionField> R1CSSumcheckInstanceProof<S> {
         poly
       };
 
+      // append the prover's message to the transcript
+      poly.append_to_transcript(b"poly", transcript);
+
       //derive the verifier's challenge for the next round
       let r_j = transcript.challenge_scalar(b"challenge_nextround");
+      r.push(r_j);
 
       // bound all tables to the verifier's challenege
       if mode == 1 {
@@ -813,60 +707,12 @@ impl<S: SpartanExtensionField> R1CSSumcheckInstanceProof<S> {
       poly_C.bound_poly(&r_j, mode);
       poly_D.bound_poly(&r_j, mode);
 
-      let (proof, claim_next_round) = {
-        let eval = poly.evaluate(&r_j);
-
-        // we need to prove the following under homomorphic commitments:
-        // (1) poly(0) + poly(1) = claim_per_round
-        // (2) poly(r_j) = eval
-
-        // Our technique is to leverage dot product proofs:
-        // (1) we can prove: <poly_in_coeffs_form, (2, 1, 1, 1)> = claim_per_round
-        // (2) we can prove: <poly_in_coeffs_form, (1, r_j, r^2_j, ..) = eval
-        // for efficiency we batch them using random weights
-
-        // produce two weights
-        let w: Vec<S> = transcript.challenge_vector(b"combine_two_claims_to_one", 2);
-
-        // compute a weighted sum of the RHS
-        let target = w[0] * claim_per_round + w[1] * eval;
-
-        let a = {
-          // the vector to use to decommit for sum-check test
-          let a_sc = {
-            let mut a = vec![S::field_one(); poly.degree() + 1];
-            a[0] = a[0] + S::field_one();
-            a
-          };
-
-          // the vector to use to decommit for evaluation
-          let a_eval = {
-            let mut a = vec![S::field_one(); poly.degree() + 1];
-            for j in 1..a.len() {
-              a[j] = a[j - 1] * r_j;
-            }
-            a
-          };
-
-          // take weighted sum of the two vectors using w
-          assert_eq!(a_sc.len(), a_eval.len());
-          (0..a_sc.len())
-            .map(|i| w[0] * a_sc[i] + w[1] * a_eval[i])
-            .collect::<Vec<S>>()
-        };
-
-        let proof = DotProductProof::prove(transcript, random_tape, &poly.as_vec(), &a, &target);
-
-        (proof, eval)
-      };
-
-      proofs.push(proof);
-      claim_per_round = claim_next_round;
-      r.push(r_j);
+      claim_per_round = poly.evaluate(&r_j);
+      cubic_polys.push(poly.compress()); 
     }
 
     (
-      R1CSSumcheckInstanceProof::new(proofs),
+      SumcheckInstanceProof::new(cubic_polys),
       r,
       vec![
         poly_Ap[0] * poly_Aq[0] * poly_Ax[0],
@@ -876,4 +722,4 @@ impl<S: SpartanExtensionField> R1CSSumcheckInstanceProof<S> {
       ],
     )
   }
-}
+}