Multivariate marlin (#50)

* Add multivariate pc support

* Integrate new polynomial interfaces

* Fix no_std

* Reduce code reuse

* Small optimizations

* Update for arkworks + tweaks

* Fix

* fmt

* Handle the conflict with `master` on sonic_pc

* Handle the upstream conflict

* Handle the conflict with the upstream

* Handle the conflict with the upstream

* Cargo fmt

* mul update; add serialization

* Update the references

* Reconcile the citation

* fix some missing points

Co-authored-by: Weikeng Chen <w.k@berkeley.edu>
Co-authored-by: oblivious-app <55861861+oblivious-app@users.noreply.github.com>

Author: 3 people

README.md

@@ -5,7 +5,7 @@
    <a href="https://github.com/arkworks-rs/poly-commit/blob/master/LICENSE-MIT"><img src="https://img.shields.io/badge/license-MIT-blue.svg"></a>
 </p>
 
-`poly-commit` is a Rust library that implements (univariate) *polynomial commitment schemes*. This library was initially developed as part of the [Marlin paper][marlin], and is released under the MIT License and the Apache v2 License (see [License](#license)).
+`poly-commit` is a Rust library that implements *polynomial commitment schemes*. This library was initially developed as part of the [Marlin paper][marlin], and is released under the MIT License and the Apache v2 License (see [License](#license)).
 
 **WARNING:** This is an academic prototype, and in particular has not received careful code review. This implementation is NOT ready for production use.
 
@@ -54,6 +54,7 @@ Unless you explicitly state otherwise, any contribution that you submit to this
 [sonic]: https://ia.cr/2019/099
 [aurora-light]: https://ia.cr/2019/601
 [pcd-acc]: https://ia.cr/2020/499
+[pst]: https://ia.cr.org/2011/587
 
 ## Reference papers
 
@@ -65,7 +66,7 @@ ASIACRYPT 2010
 Mary Maller, Sean Bowe, Markulf Kohlweiss, Sarah Meiklejohn     
 CCS 2019
 
-[AuroraLight: Improved prover efficiency and SRS size in a Sonic-like system][aurora-light]     
+[AuroraLight: Improved Prover Efficiency and SRS Size in a Sonic-Like System][aurora-light]     
 Ariel Gabizon     
 ePrint, 2019
 
@@ -75,8 +76,11 @@ EUROCRYPT 2020
 
 [Proof-Carrying Data from Accumulation Schemes][pcd-acc]     
 Benedikt Bünz, Alessandro Chiesa, [Pratyush Mishra](https://www.github.com/pratyush), Nicholas Spooner     
-ePrint, 2020
+TCC 2020
 
+[Signatures of Correct Computation][pst]
+Charalampos Papamanthou, Elaine Shi, Roberto Tamassia
+TCC 2013
 
 ## Acknowledgements
 

src/error.rs

@@ -79,6 +79,20 @@ pub enum Error {
 
     /// The inputs to `commit`, `open` or `verify` had incorrect lengths.
     IncorrectInputLength(String),
+
+    /// An invalid number of variables was provided to `setup`
+    InvalidNumberOfVariables,
+
+    /// The degree of the `index`-th polynomial passed to `commit`, `open`
+    /// or `check` was incorrect, that is, `supported_degree <= poly_degree`
+    PolynomialDegreeTooLarge {
+        /// Degree of the polynomial.
+        poly_degree: usize,
+        /// Maximum supported degree.
+        supported_degree: usize,
+        /// Index of the offending polynomial.
+        label: String,
+    },
 }
 
 impl core::fmt::Display for Error {
@@ -151,6 +165,19 @@ impl core::fmt::Display for Error {
                  supported degree ({:?})",
                 degree_bound, label, poly_degree, supported_degree
             ),
+            Error::InvalidNumberOfVariables => write!(
+                f,
+                "An invalid number of variables was provided to `setup`"
+            ),
+            Error::PolynomialDegreeTooLarge {
+                poly_degree,
+                supported_degree,
+                label,
+            } => write!(
+                f,
+                "the polynomial {} has degree {:?}, but parameters only
+                support up to degree ({:?})", label, poly_degree, supported_degree
+            ),
             Error::IncorrectInputLength(err) => write!(f, "{}", err),
         }
     }

src/lib.rs

@@ -44,6 +44,13 @@ pub mod error;
 use ark_serialize::{CanonicalDeserialize, CanonicalSerialize};
 pub use error::*;
 
+/// Univariate and multivariate polynomial commitment schemes
+/// which (optionally) enable hiding commitments by following
+/// the approach outlined in [[CHMMVW20, "Marlin"]][marlin].
+///
+/// [marlin]: https://eprint.iacr.org/2019/1047
+pub mod marlin;
+
 /// A random number generator that bypasses some limitations of the Rust borrow
 /// checker.
 pub mod optional_rng;
@@ -69,7 +76,7 @@ pub mod kzg10;
 ///
 /// [kzg]: http://cacr.uwaterloo.ca/techreports/2010/cacr2010-10.pdf
 /// [marlin]: https://eprint.iacr.org/2019/1047
-pub mod marlin_pc;
+pub use marlin::marlin_pc;
 
 /// Polynomial commitment scheme based on the construction in [[KZG10]][kzg],
 /// modified to obtain batching and to enforce strict
@@ -90,6 +97,14 @@ pub mod sonic_pc;
 /// [pcdas]: https://eprint.iacr.org/2020/499
 pub mod ipa_pc;
 
+/// Multivariate polynomial commitment based on the construction in
+/// [[PST13]][pst] with batching and (optional) hiding property inspired
+/// by the univariate scheme in [[CHMMVW20, "Marlin"]][marlin]
+///
+/// [pst]: https://eprint.iacr.org/2011/587.pdf
+/// [marlin]: https://eprint.iacr.org/2019/104
+pub use marlin::marlin_pst13_pc;
+
 /// `QuerySet` is the set of queries that are to be made to a set of labeled polynomials/equations
 /// `p` that have previously been committed to. Each element of a `QuerySet` is a pair of
 /// `(label, (point_label, point))`, where `label` is the label of a polynomial in `p`,