Add streaming KZG (#95)

Co-authored-by: Pratyush Mishra <pratyushmishra@berkeley.edu>
Co-authored-by: Michele Orrù <michele.orru@berkeley.edu>

Author: 3 people

Cargo.toml

@@ -30,7 +30,6 @@ ark-sponge = {version = "^0.3.0", default-features = false}
 ark-std = { version = "^0.3.0", default-features = false }
 ark-relations = { version = "^0.3.0", default-features = false, optional = true }
 ark-r1cs-std = { version = "^0.3.0", default-features = false, optional = true }
-ark-nonnative-field = { version = "^0.3.0", default-features = false, optional = true }
 hashbrown = { version = "0.9", optional = true }
 
 digest = "0.9"
@@ -61,14 +60,17 @@ debug = true
 ark-std = { git = "https://github.com/arkworks-rs/std" }
 ark-ec = { git = "https://github.com/arkworks-rs/algebra" }
 ark-ff = { git = "https://github.com/arkworks-rs/algebra" }
+ark-poly = { git = "https://github.com/arkworks-rs/algebra" }
 ark-serialize = { git = "https://github.com/arkworks-rs/algebra" }
 ark-bls12-381 = { git = "https://github.com/arkworks-rs/curves" }
 ark-bls12-377 = { git = "https://github.com/arkworks-rs/curves" }
 ark-ed-on-bls12-381 = { git = "https://github.com/arkworks-rs/curves" }
+ark-r1cs-std = { git = "https://github.com/arkworks-rs/r1cs-std" }
+ark-sponge = { git = "https://github.com/arkworks-rs/sponge" }
 
 [features]
 default = [ "std", "parallel" ]
-std = [ "ark-ff/std", "ark-ec/std", "ark-nonnative-field/std", "ark-poly/std", "ark-std/std", "ark-relations/std", "ark-serialize/std", "ark-sponge/std"]
-r1cs = [ "ark-relations", "ark-r1cs-std", "ark-nonnative-field", "hashbrown", "ark-sponge/r1cs"]
+std = [ "ark-ff/std", "ark-ec/std", "ark-poly/std", "ark-std/std", "ark-relations/std", "ark-serialize/std", "ark-sponge/std"]
+r1cs = [ "ark-relations", "ark-r1cs-std", "hashbrown", "ark-sponge/r1cs"]
 print-trace = [ "ark-std/print-trace" ]
 parallel = [ "std", "ark-ff/parallel", "ark-ec/parallel", "ark-poly/parallel", "ark-std/parallel", "rayon" ]

src/constraints.rs

@@ -3,8 +3,8 @@ use crate::{
     PolynomialCommitment, String, Vec,
 };
 use ark_ff::PrimeField;
-use ark_nonnative_field::NonNativeFieldVar;
 use ark_poly::Polynomial;
+use ark_r1cs_std::fields::nonnative::NonNativeFieldVar;
 use ark_r1cs_std::{fields::fp::FpVar, prelude::*};
 use ark_relations::r1cs::{ConstraintSystemRef, Namespace, Result as R1CSResult, SynthesisError};
 use ark_sponge::CryptographicSponge;

src/ipa_pc/mod.rs

@@ -62,7 +62,7 @@ where
         randomizer: Option<G::ScalarField>,
     ) -> G::Projective {
         let scalars_bigint = ark_std::cfg_iter!(scalars)
-            .map(|s| s.into_repr())
+            .map(|s| s.into_bigint())
             .collect::<Vec<_>>();
 
         let mut comm = VariableBase::msm(comm_key, &scalars_bigint);
@@ -160,7 +160,7 @@ where
         let h_prime = vk.h.mul(round_challenge);
 
         let mut round_commitment_proj =
-            combined_commitment_proj + &h_prime.mul(&combined_v.into_repr());
+            combined_commitment_proj + &h_prime.mul(&combined_v.into_bigint());
 
         let l_iter = proof.l_vec.iter();
         let r_iter = proof.r_vec.iter();

src/kzg10/data_structures.rs

@@ -391,7 +391,7 @@ pub struct PreparedVerifierKey<E: PairingEngine> {
 impl<E: PairingEngine> PreparedVerifierKey<E> {
     /// prepare `PreparedVerifierKey` from `VerifierKey`
     pub fn prepare(vk: &VerifierKey<E>) -> Self {
-        let supported_bits = E::Fr::size_in_bits();
+        let supported_bits = E::Fr::MODULUS_BIT_SIZE as usize;
 
         let mut prepared_g = Vec::<E::G1Affine>::new();
         let mut g = E::G1Projective::from(vk.g.clone());
@@ -458,7 +458,7 @@ where
 impl<'a, E: PairingEngine> AddAssign<(E::Fr, &'a Commitment<E>)> for Commitment<E> {
     #[inline]
     fn add_assign(&mut self, (f, other): (E::Fr, &'a Commitment<E>)) {
-        let mut other = other.0.mul(f.into_repr());
+        let mut other = other.0.mul(f.into_bigint());
         other.add_assign_mixed(&self.0);
         self.0 = other.into();
     }
@@ -485,7 +485,7 @@ impl<E: PairingEngine> PreparedCommitment<E> {
         let mut prepared_comm = Vec::<E::G1Affine>::new();
         let mut cur = E::G1Projective::from(comm.0.clone());
 
-        let supported_bits = E::Fr::size_in_bits();
+        let supported_bits = E::Fr::MODULUS_BIT_SIZE as usize;
 
         for _ in 0..supported_bits {
             prepared_comm.push(cur.clone().into());

src/kzg10/mod.rs

@@ -60,7 +60,7 @@ where
 
         let window_size = FixedBase::get_mul_window_size(max_degree + 1);
 
-        let scalar_bits = E::Fr::size_in_bits();
+        let scalar_bits = E::Fr::MODULUS_BIT_SIZE as usize;
         let g_time = start_timer!(|| "Generating powers of G");
         let g_table = FixedBase::get_window_table(scalar_bits, window_size, g);
         let powers_of_g =
@@ -331,8 +331,8 @@ where
             if let Some(random_v) = proof.random_v {
                 gamma_g_multiplier += &(randomizer * &random_v);
             }
-            total_c += &c.mul(randomizer.into_repr());
-            total_w += &w.mul(randomizer.into_repr());
+            total_c += &c.mul(randomizer.into_bigint());
+            total_w += &w.mul(randomizer.into_bigint());
             // We don't need to sample randomizers from the full field,
             // only from 128-bit strings.
             randomizer = u128::rand(rng).into();
@@ -430,7 +430,7 @@ fn skip_leading_zeros_and_convert_to_bigints<F: PrimeField, P: UVPolynomial<F>>(
 fn convert_to_bigints<F: PrimeField>(p: &[F]) -> Vec<F::BigInt> {
     let to_bigint_time = start_timer!(|| "Converting polynomial coeffs to bigints");
     let coeffs = ark_std::cfg_iter!(p)
-        .map(|s| s.into_repr())
+        .map(|s| s.into_bigint())
         .collect::<Vec<_>>();
     end_timer!(to_bigint_time);
     coeffs

src/lib.rs

@@ -118,6 +118,14 @@ use ark_sponge::{CryptographicSponge, FieldElementSize};
 /// [marlin]: https://eprint.iacr.org/2019/104
 pub use marlin::marlin_pst13_pc;
 
+/// Streaming polynomial commitment based on the construction in
+/// [[BCHO22, "Gemini"]][gemini] with batching techniques inspired
+/// by [[BDFG20]][bdfg].
+///
+/// [gemini]:
+/// [bdfg]: https://eprint.iacr.org/2020/081.pdf
+pub mod streaming_kzg;
+
 /// `QuerySet` is the set of queries that are to be made to a set of labeled polynomials/equations
 /// `p` that have previously been committed to. Each element of a `QuerySet` is a pair of
 /// `(label, (point_label, point))`, where `label` is the label of a polynomial in `p`,
@@ -527,7 +535,7 @@ fn lc_query_set_to_poly_query_set<'a, F: Field, T: Clone + Ord>(
 pub mod tests {
     use crate::*;
     use ark_poly::Polynomial;
-    use ark_sponge::poseidon::{PoseidonParameters, PoseidonSponge};
+    use ark_sponge::poseidon::{PoseidonConfig, PoseidonSponge};
     use ark_std::rand::{
         distributions::{Distribution, Uniform},
         Rng, SeedableRng,
@@ -1287,7 +1295,7 @@ pub mod tests {
     ///
     /// WARNING: This poseidon parameter is not secure. Please generate
     /// your own parameters according the field you use.
-    pub(crate) fn poseidon_parameters_for_test<F: PrimeField>() -> PoseidonParameters<F> {
+    pub(crate) fn poseidon_parameters_for_test<F: PrimeField>() -> PoseidonConfig<F> {
         let full_rounds = 8;
         let partial_rounds = 31;
         let alpha = 17;
@@ -1309,6 +1317,6 @@ pub mod tests {
             }
             ark.push(res);
         }
-        PoseidonParameters::new(full_rounds, partial_rounds, alpha, mds, ark)
+        PoseidonConfig::new(full_rounds, partial_rounds, alpha, mds, ark, 2, 1)
     }
 }

src/marlin/marlin_pc/data_structures.rs

@@ -193,7 +193,7 @@ impl<E: PairingEngine> PCPreparedVerifierKey<VerifierKey<E>> for PreparedVerifie
     fn prepare(vk: &VerifierKey<E>) -> Self {
         let prepared_vk = kzg10::PreparedVerifierKey::<E>::prepare(&vk.vk);
 
-        let supported_bits = E::Fr::size_in_bits();
+        let supported_bits = E::Fr::MODULUS_BIT_SIZE as usize;
 
         let prepared_degree_bounds_and_shift_powers: Option<Vec<(usize, Vec<E::G1Affine>)>> =
             if vk.degree_bounds_and_shift_powers.is_some() {

src/marlin/marlin_pst13_pc/mod.rs

@@ -134,7 +134,7 @@ impl<E: PairingEngine, P: MVPolynomial<E::Fr>, S: CryptographicSponge> MarlinPST
     /// Convert polynomial coefficients to `BigInt`
     fn convert_to_bigints(p: &P) -> Vec<<E::Fr as PrimeField>::BigInt> {
         let plain_coeffs = ark_std::cfg_into_iter!(p.terms())
-            .map(|(coeff, _)| coeff.into_repr())
+            .map(|(coeff, _)| coeff.into_bigint())
             .collect();
         plain_coeffs
     }
@@ -213,7 +213,7 @@ where
             })
             .unzip();
 
-        let scalar_bits = E::Fr::size_in_bits();
+        let scalar_bits = E::Fr::MODULUS_BIT_SIZE as usize;
         let g_time = start_timer!(|| "Generating powers of G");
         let window_size = FixedBase::get_mul_window_size(max_degree + 1);
         let g_table = FixedBase::get_window_table(scalar_bits, window_size, g);
@@ -256,7 +256,7 @@ where
             .collect();
         let beta_h: Vec<_> = betas
             .iter()
-            .map(|b| h.mul(&(*b).into_repr()).into_affine())
+            .map(|b| h.mul(&(*b).into_bigint()).into_affine())
             .collect();
         let h = h.into_affine();
         let prepared_h = h.into();
@@ -625,16 +625,16 @@ where
             if let Some(random_v) = proof.random_v {
                 gamma_g_multiplier += &(randomizer * &random_v);
             }
-            total_c += &c.mul(&randomizer.into_repr());
+            total_c += &c.mul(&randomizer.into_bigint());
             ark_std::cfg_iter_mut!(total_w)
                 .enumerate()
                 .for_each(|(i, w_i)| *w_i += &w[i].mul(randomizer));
             // We don't need to sample randomizers from the full field,
             // only from 128-bit strings.
             randomizer = u128::rand(rng).into();
         }
-        total_c -= &g.mul(&g_multiplier.into_repr());
-        total_c -= &gamma_g.mul(&gamma_g_multiplier.into_repr());
+        total_c -= &g.mul(&g_multiplier.into_bigint());
+        total_c -= &gamma_g.mul(&gamma_g_multiplier.into_bigint());
         end_timer!(combination_time);
 
         let to_affine_time = start_timer!(|| "Converting results to affine for pairing");

src/multilinear_pc/mod.rs

@@ -32,7 +32,7 @@ impl<E: PairingEngine> MultilinearPC<E> {
         let mut powers_of_g = Vec::new();
         let mut powers_of_h = Vec::new();
         let t: Vec<_> = (0..num_vars).map(|_| E::Fr::rand(rng)).collect();
-        let scalar_bits = E::Fr::size_in_bits();
+        let scalar_bits = E::Fr::MODULUS_BIT_SIZE as usize;
 
         let mut eq: LinkedList<DenseMultilinearExtension<E::Fr>> =
             LinkedList::from_iter(eq_extension(&t).into_iter());
@@ -144,7 +144,7 @@ impl<E: PairingEngine> MultilinearPC<E> {
         let scalars: Vec<_> = polynomial
             .to_evaluations()
             .into_iter()
-            .map(|x| x.into_repr())
+            .map(|x| x.into_bigint())
             .collect();
         let g_product = VariableBase::msm(&ck.powers_of_g[0], scalars.as_slice()).into_affine();
         Commitment { nv, g_product }
@@ -175,7 +175,7 @@ impl<E: PairingEngine> MultilinearPC<E> {
                     + &(r[k][(b << 1) + 1] * &point_at_k);
             }
             let scalars: Vec<_> = (0..(1 << k))
-                .map(|x| q[k][x >> 1].into_repr()) // fine
+                .map(|x| q[k][x >> 1].into_bigint()) // fine
                 .collect();
 
             let pi_h = VariableBase::msm(&ck.powers_of_h[i], &scalars).into_affine(); // no need to move outside and partition
@@ -199,7 +199,7 @@ impl<E: PairingEngine> MultilinearPC<E> {
             vk.h,
         );
 
-        let scalar_size = E::Fr::size_in_bits();
+        let scalar_size = E::Fr::MODULUS_BIT_SIZE as usize;
         let window_size = FixedBase::get_mul_window_size(vk.nv);
 
         let g_table = FixedBase::get_window_table(scalar_size, window_size, vk.g.into_projective());

src/sonic_pc/mod.rs

@@ -66,7 +66,7 @@ where
             let mut comm_with_challenge: E::G1Projective = comm.0.mul(curr_challenge);
 
             if let Some(randomizer) = randomizer {
-                comm_with_challenge = comm_with_challenge.mul(&randomizer.into_repr());
+                comm_with_challenge = comm_with_challenge.mul(&randomizer.into_bigint());
             }
 
             // Accumulate values in the BTreeMap
@@ -85,7 +85,7 @@ where
 
         if let Some(randomizer) = randomizer {
             witness = proof.w.mul(randomizer);
-            adjusted_witness = adjusted_witness.mul(&randomizer.into_repr());
+            adjusted_witness = adjusted_witness.mul(&randomizer.into_bigint());
         }
 
         *combined_witness += &witness;