Add Ligero PCS #125
Add Ligero PCS #125
Conversation
PCS Ligero constructor
…d work on commit function
Commitment with transcript
* make test util functions cfg-gated * Add constant_poly_test * Add quadratic tests * Add linear poly tests * Add all other tests from test suite * fix check_combinations fix combinations remove prints remove old comments * remove deprecated deny * change the signature of rand_point to allow other fields * remove tests superseded by automated test suite * Create a `new` method for `LigeroPCUniversalParams` * document `LigeroPCUniversalParams`
…clippy lints (#31) * replace direct construction by `new` call to LigeroPCUniversalParams * some clippy fixes * replace `todo()`s by `default()` or `()` * move implementation of `Ligero` to data_structures * Add more info to `Ligero` struct incl. link and no-hiding note
autquis
requested review from
z-tech,
mmagician and
weikengchen
and removed request for
a team
|
We would like to thank Modulus Labs @Modulus-Labs for the support, motivation and excellent discussions around the implementation and security of Ligero; and Aleo @AleoHQ for the hackathon sponsorship where some of the development and progress were discussed. |
* use Vec/ToString from ark_std * rayon should only be enabled under the parallel feature * for no-std targets, enable Float arithmetic from num_traits
| pub(crate) struct IOPTranscript<F: PrimeField> { | ||
| transcript: Transcript, | ||
| is_empty: bool, | ||
| #[doc(hidden)] | ||
| phantom: PhantomData<F>, | ||
| } | ||
|
|
||
| // TODO: merge this with jf_plonk::transcript | ||
| impl<F: PrimeField> IOPTranscript<F> { |
There was a problem hiding this comment.
This seems to me be yet another implementation of a sponge. We should try to consolidate all the usages so that we don't have duplication. cc @mmaker
There was a problem hiding this comment.
It is indeed a YASI (yet-another-sponge-implentation).
Let me give some background. The idea was to use concrete instantiation directly, instead of adding more generics for the user to choose from. We already have some hashing-related generics on Ligero due to this PCS inherently relying on hashing in multiple places. Since we also rely on interaction, we additionally need to use a Fiat-Shamir transcript as part of the construction. In principle, one could opt in for a different choice for the hash for transcript than what is used for hashing the columns.
There is actually one further spot where potentially a different hash function can (and maybe later, should) be used: hashing the leaves of the Merkle Tree. This distinction becomes evident especially when we consider sth like Poseidon, where the rate of 2 makes much more sense for MT, whereas a higher rate can speed up hashing large columns. So that brings the total choice of hashing parameters (in the non-interactive scheme) to 3. The current design attempts to simplify that interface by forcing a transcript sponge on the user, and also forcing the same hash parameters for column and MT.
I think we could swap out IOPTranscript (which uses merlin under the hood) used here for something from crypto-primitives - the problem is that we don't have any good defaults provided there for the sponge construction AFAIK, and it wasn't clear to me how to safely choose the parameters for non-testing purposes.
src/ligero/data_structures.rs
Outdated
| <<C as Config>::TwoToOneHash as TwoToOneCRHScheme>::Parameters: Debug, | ||
| <<C as Config>::LeafHash as CRHScheme>::Parameters: Debug, |
There was a problem hiding this comment.
Perhaps we should just make Parameters: Debug in crypto-primitives directly? E.g. a companion to this PR: arkworks-rs/crypto-primitives#114
There was a problem hiding this comment.
That should be resolved in 61f3c64
| if F::TWO_ADICITY < self.rho_inv as u32 { | ||
| 0 |
There was a problem hiding this comment.
We should probably just return an error if this happens
There was a problem hiding this comment.
We actually do: https://github.com/HungryCatsStudio/poly-commit/blob/46a6a859c3fb15427a1659124d119c550b415701/src/ligero/mod.rs#L80.
Without changing the interface we just propagate the zero to the caller and check there.
src/ligero/data_structures.rs
Outdated
| <<C as Config>::TwoToOneHash as TwoToOneCRHScheme>::Parameters: Debug, | ||
| <<C as Config>::LeafHash as CRHScheme>::Parameters: Debug, |
There was a problem hiding this comment.
If you're ignoring the parameters for debugging, then I guess you don't need this bound, no?
There was a problem hiding this comment.
Great point, makes the trait bounds much cleaner!
src/ligero/data_structures.rs
Outdated
| } | ||
| } | ||
|
|
||
| pub(crate) type LigeroPCPreparedCommitment = (); |
There was a problem hiding this comment.
Perhaps this should just be the standard commitment, as opposed to ()?
src/ligero/data_structures.rs
Outdated
| impl PCRandomness for LigeroPCRandomness { | ||
| fn empty() -> Self {} | ||
|
|
||
| fn rand<R: RngCore>( | ||
| _num_queries: usize, | ||
| _has_degree_bound: bool, | ||
| _num_vars: Option<usize>, | ||
| _rng: &mut R, | ||
| ) -> Self { | ||
| } | ||
| } |
There was a problem hiding this comment.
Maybe these methods should return unimplemented!() for now?
src/ligero/mod.rs
Outdated
| ) -> Result<(Self::CommitterKey, Self::VerifierKey), Self::Error> { | ||
| if pp.max_degree() == 0 { | ||
| return Err(Error::InvalidParameters( | ||
| "This field is not suitable for the proposed parameters".to_string(), |
There was a problem hiding this comment.
Might make sense to make this a const and reuse this.
| Self::Randomness: 'a, | ||
| Self::Commitment: 'a, |
There was a problem hiding this comment.
Should we add 'static bounds to Self::Randomness and Self::Commitment in the trait definition directly?
There was a problem hiding this comment.
Do you mean like:
...
Self::Randomness: 'static,
Self::Commitment: 'static,
{
let mut proof_array = LPCPArray::default();
let labeled_commitments: Vec<&LabeledCommitment<Self::Commitment>> =
commitments.into_iter().collect();
?
|
btw it would be useful to compare notes with https://github.com/arkworks-rs/ldt and https://github.com/arkworks-rs/bcs and see if any infrastructure can be combined/reused |
|
Definitely! I was mostly oblivious to those repos. |
|
Closing in favour of #132 |
So, this is Ligero PCS. We had to copy-paste some code from
jellyfishsincejellyfishdepends on the release0.4.0ofcrypto-primitive, which does not haveCanonicalSerialize. Oncejellyfishupdates its dependency, we can use their crate.Also, in
Cargo.toml, we use a specific revision ofcrypto-primitivesince later commits break KZG and other PCSs in the repo. I'll address this issue in another PR.Before we can merge this PR, please make sure that all the following items have been
checked off. If any of the checklist items are not applicable, please leave them but
write a little note why.
Pendingsection inCHANGELOG.mdFiles changedin the Github PR explorer