Add Ligero univariate and multilinear PCS

Cargo.toml

@@ -34,7 +34,7 @@ ark-ec = { git = "https://github.com/arkworks-rs/algebra/" }
 ark-serialize = { git = "https://github.com/arkworks-rs/algebra/" }
 ark-poly = { git = "https://github.com/arkworks-rs/algebra/" }
 
-ark-crypto-primitives = { git = "https://github.com/arkworks-rs/crypto-primitives" }
+ark-crypto-primitives = { git = "https://github.com/arkworks-rs/crypto-primitives/" }
 ark-r1cs-std = { git = "https://github.com/arkworks-rs/r1cs-std/" }
 
 ark-bls12-377 = { git = "https://github.com/arkworks-rs/algebra/" }

bench-templates/src/lib.rs

@@ -1,17 +1,23 @@
-use ark_crypto_primitives::sponge::{
-    poseidon::{PoseidonConfig, PoseidonSponge},
-    CryptographicSponge,
+use ark_crypto_primitives::{
+    crh::{sha256::digest::Digest, CRHScheme},
+    sponge::{
+        poseidon::{PoseidonConfig, PoseidonSponge},
+        CryptographicSponge,
+    },
 };
 use ark_ff::PrimeField;
 use ark_poly::Polynomial;
 use ark_serialize::{CanonicalSerialize, Compress};
 use ark_std::{test_rng, UniformRand};
-use rand_chacha::{rand_core::SeedableRng, ChaCha20Rng};
+use rand_chacha::{
+    rand_core::{RngCore, SeedableRng},
+    ChaCha20Rng,
+};
 
 use core::time::Duration;
-use std::time::Instant;
+use std::{borrow::Borrow, marker::PhantomData, time::Instant};
 
-use ark_poly_commit::{LabeledPolynomial, PolynomialCommitment};
+use ark_poly_commit::{to_bytes, LabeledPolynomial, PolynomialCommitment};
 
 pub use criterion::*;
 pub use paste::paste;
@@ -276,3 +282,57 @@ macro_rules! bench {
         }
     };
 }
+
+/**** Auxiliary methods for linear-code-based PCSs ****/
+
+/// Needed for benches and tests.
+pub struct LeafIdentityHasher;
+
+impl CRHScheme for LeafIdentityHasher {
+    type Input = Vec<u8>;
+    type Output = Vec<u8>;
+    type Parameters = ();
+
+    fn setup<R: RngCore>(_: &mut R) -> Result<Self::Parameters, ark_crypto_primitives::Error> {
+        Ok(())
+    }
+
+    fn evaluate<T: Borrow<Self::Input>>(
+        _: &Self::Parameters,
+        input: T,
+    ) -> Result<Self::Output, ark_crypto_primitives::Error> {
+        Ok(input.borrow().to_vec().into())
+    }
+}
+
+/// Needed for benches and tests.
+pub struct FieldToBytesColHasher<F, D>
+where
+    F: PrimeField + CanonicalSerialize,
+    D: Digest,
+{
+    _phantom: PhantomData<(F, D)>,
+}
+
+impl<F, D> CRHScheme for FieldToBytesColHasher<F, D>
+where
+    F: PrimeField + CanonicalSerialize,
+    D: Digest,
+{
+    type Input = Vec<F>;
+    type Output = Vec<u8>;
+    type Parameters = ();
+
+    fn setup<R: RngCore>(_rng: &mut R) -> Result<Self::Parameters, ark_crypto_primitives::Error> {
+        Ok(())
+    }
+
+    fn evaluate<T: Borrow<Self::Input>>(
+        _parameters: &Self::Parameters,
+        input: T,
+    ) -> Result<Self::Output, ark_crypto_primitives::Error> {
+        let mut dig = D::new();
+        dig.update(to_bytes!(input.borrow()).unwrap());
+        Ok(dig.finalize().to_vec())
+    }
+}

poly-commit/Cargo.toml

@@ -26,12 +26,19 @@ ark-r1cs-std = { version = "^0.4.0", default-features = false, optional = true }
 hashbrown = { version = "0.15", default-features = false, features = ["inline-more", "allocator-api2"], optional = true }
 rand = { version = "0.8.0", optional = true }
 rayon = { version = "1", optional = true }
+merlin = { version = "3.0.0", default-features = false }
 
 [[bench]]
 name = "ipa_times"
 path = "benches/ipa_times.rs"
 harness = false
 
+[[bench]]
+name = "ligero_ml_times"
+path = "benches/ligero_ml_times.rs"
+harness = false
+
+
 [[bench]]
 name = "hyrax_times"
 path = "benches/hyrax_times.rs"
@@ -53,10 +60,12 @@ ark-ed-on-bls12-381 = { version = "^0.4.0", default-features = false }
 ark-bls12-381 = { version = "^0.4.0", default-features = false, features = [ "curve" ] }
 ark-bls12-377 = { version = "^0.4.0", default-features = false, features = [ "curve" ] }
 ark-bn254 = { version = "^0.4.0", default-features = false, features = [ "curve" ] }
-
 rand_chacha = { version = "0.3.0", default-features = false }
 ark-pcs-bench-templates = { path = "../bench-templates" }
 
+[target.'cfg(target_arch = "aarch64")'.dependencies]
+num-traits = { version = "0.2", default-features = false, features = ["libm"] }
+
 [features]
 default = [ "std", "parallel" ]
 std = [ "ark-ff/std", "ark-ec/std", "ark-poly/std", "ark-std/std", "ark-relations/std", "ark-serialize/std", "ark-crypto-primitives/std"]

poly-commit/benches/ligero_ml_times.rs

@@ -0,0 +1,55 @@
+use ark_crypto_primitives::{
+    crh::{sha256::Sha256, CRHScheme, TwoToOneCRHScheme},
+    merkle_tree::{ByteDigestConverter, Config},
+};
+use ark_pcs_bench_templates::*;
+use ark_poly::{DenseMultilinearExtension, MultilinearExtension};
+
+use ark_bn254::Fr;
+use ark_ff::PrimeField;
+
+use ark_poly_commit::linear_codes::{LinearCodePCS, MultilinearLigero};
+use blake2::Blake2s256;
+use rand_chacha::ChaCha20Rng;
+
+// Ligero PCS over BN254
+struct MerkleTreeParams;
+type LeafH = LeafIdentityHasher;
+type CompressH = Sha256;
+impl Config for MerkleTreeParams {
+    type Leaf = Vec<u8>;
+
+    type LeafDigest = <LeafH as CRHScheme>::Output;
+    type LeafInnerDigestConverter = ByteDigestConverter<Self::LeafDigest>;
+    type InnerDigest = <CompressH as TwoToOneCRHScheme>::Output;
+
+    type LeafHash = LeafH;
+    type TwoToOneHash = CompressH;
+}
+
+pub type MLE<F> = DenseMultilinearExtension<F>;
+type MTConfig = MerkleTreeParams;
+type ColHasher<F> = FieldToBytesColHasher<F, Blake2s256>;
+type Ligero<F> = LinearCodePCS<
+    MultilinearLigero<F, MTConfig, MLE<F>, ColHasher<F>>,
+    F,
+    MLE<F>,
+    MTConfig,
+    ColHasher<F>,
+>;
+
+fn rand_poly_ligero_ml<F: PrimeField>(
+    num_vars: usize,
+    rng: &mut ChaCha20Rng,
+) -> DenseMultilinearExtension<F> {
+    DenseMultilinearExtension::rand(num_vars, rng)
+}
+
+fn rand_point_ligero_ml<F: PrimeField>(num_vars: usize, rng: &mut ChaCha20Rng) -> Vec<F> {
+    (0..num_vars).map(|_| F::rand(rng)).collect()
+}
+
+const MIN_NUM_VARS: usize = 12;
+const MAX_NUM_VARS: usize = 22;
+
+bench!(Ligero<Fr>, rand_poly_ligero_ml, rand_point_ligero_ml);

poly-commit/src/ipa_pc/mod.rs

@@ -1,7 +1,7 @@
 use crate::{
-    BTreeMap, BTreeSet, BatchLCProof, DenseUVPolynomial, Error, Evaluations, LabeledCommitment,
-    LabeledPolynomial, LinearCombination, PCCommitmentState, PCCommitterKey, PCUniversalParams,
-    PolynomialCommitment, QuerySet, CHALLENGE_SIZE,
+    utils::inner_product, BTreeMap, BTreeSet, BatchLCProof, DenseUVPolynomial, Error, Evaluations,
+    LabeledCommitment, LabeledPolynomial, LinearCombination, PCCommitmentState, PCCommitterKey,
+    PCUniversalParams, PolynomialCommitment, QuerySet, CHALLENGE_SIZE,
 };
 use ark_crypto_primitives::sponge::CryptographicSponge;
 use ark_ec::{AffineRepr, CurveGroup, VariableBaseMSM};
@@ -86,11 +86,6 @@ where
         challenge.unwrap()
     }
 
-    #[inline]
-    fn inner_product(l: &[G::ScalarField], r: &[G::ScalarField]) -> G::ScalarField {
-        ark_std::cfg_iter!(l).zip(r).map(|(li, ri)| *li * ri).sum()
-    }
-
     /// The succinct portion of `PC::check`. This algorithm runs in time
     /// O(log d), where d is the degree of the committed polynomials.
     fn succinct_check<'a>(
@@ -674,10 +669,10 @@ where
             let (key_proj_l, _) = key_proj.split_at_mut(n / 2);
 
             let l = Self::cm_commit(key_l, coeffs_r, None, None)
-                + &h_prime.mul(Self::inner_product(coeffs_r, z_l));
+                + &h_prime.mul(inner_product(coeffs_r, z_l));
 
             let r = Self::cm_commit(key_r, coeffs_l, None, None)
-                + &h_prime.mul(Self::inner_product(coeffs_l, z_r));
+                + &h_prime.mul(inner_product(coeffs_l, z_r));
 
             let lr = G::Group::normalize_batch(&[l, r]);
             l_vec.push(lr[0]);

poly-commit/src/lib.rs

@@ -128,6 +128,11 @@ pub use marlin::marlin_pst13_pc;
 /// [bdfg]: https://eprint.iacr.org/2020/081.pdf
 pub mod streaming_kzg;
 
+/// Scheme based on the Ligero construction in [[Ligero]][ligero].
+///
+/// [ligero]: https://eprint.iacr.org/2022/1608
+pub mod linear_codes;
+
 /// A polynomial commitment scheme based on the hardness of the
 /// discrete logarithm problem in prime-order groups. This is a
 /// Fiat-Shamired version of the PCS described in the Hyrax paper

poly-commit/src/linear_codes/data_structures.rs

@@ -0,0 +1,124 @@
+use crate::{utils::Matrix, PCCommitment, PCCommitmentState};
+use ark_crypto_primitives::{
+    crh::CRHScheme,
+    merkle_tree::{Config, LeafParam, Path, TwoToOneParam},
+};
+use ark_ff::PrimeField;
+use ark_serialize::{CanonicalDeserialize, CanonicalSerialize};
+#[cfg(not(feature = "std"))]
+use ark_std::vec::Vec;
+use ark_std::{marker::PhantomData, rand::RngCore};
+
+#[derive(Derivative, CanonicalSerialize, CanonicalDeserialize)]
+#[derivative(Clone(bound = ""), Debug(bound = ""))]
+/// The public parameters for Ligero PCS.
+pub struct LigeroPCParams<F: PrimeField, C: Config, H: CRHScheme> {
+    pub(crate) _field: PhantomData<F>,
+    /// The security parameter
+    pub(crate) sec_param: usize,
+    /// The inverse of the code rate.
+    pub(crate) rho_inv: usize,
+    /// This is a flag which determines if the random linear combination is done.
+    pub(crate) check_well_formedness: bool,
+    /// Parameters for hash function of Merkle tree leaves
+    #[derivative(Debug = "ignore")]
+    pub(crate) leaf_hash_param: LeafParam<C>,
+    /// Parameters for hash function of Merke tree combining two nodes into one
+    #[derivative(Debug = "ignore")]
+    pub(crate) two_to_one_hash_param: TwoToOneParam<C>,
+    // Parameters for obtaining leaf digest from leaf value.
+    #[derivative(Debug = "ignore")]
+    pub(crate) col_hash_params: H::Parameters,
+}
+
+#[derive(Derivative, CanonicalSerialize, CanonicalDeserialize)]
+#[derivative(Default(bound = ""), Clone(bound = ""), Debug(bound = ""))]
+pub(crate) struct Metadata {
+    pub(crate) n_rows: usize,
+    pub(crate) n_cols: usize,
+    pub(crate) n_ext_cols: usize,
+}
+
+/// The commitment to a polynomial is a root of the merkle tree,
+/// where each node is a hash of the column of the encoded coefficient matrix U.
+#[derive(Derivative, CanonicalSerialize, CanonicalDeserialize)]
+#[derivative(Default(bound = ""), Clone(bound = ""), Debug(bound = ""))]
+pub struct LinCodePCCommitment<C: Config> {
+    // number of rows resp. columns of the square matrix containing the coefficients of the polynomial
+    pub(crate) metadata: Metadata,
+    pub(crate) root: C::InnerDigest,
+}
+
+impl<C: Config> PCCommitment for LinCodePCCommitment<C> {
+    fn empty() -> Self {
+        LinCodePCCommitment::default()
+    }
+
+    fn has_degree_bound(&self) -> bool {
+        false
+    }
+}
+
+#[derive(Derivative, CanonicalSerialize, CanonicalDeserialize)]
+#[derivative(Default(bound = ""), Clone(bound = ""), Debug(bound = ""))]
+pub struct LinCodePCCommitmentState<F, H>
+where
+    F: PrimeField,
+    H: CRHScheme,
+{
+    pub(crate) mat: Matrix<F>,
+    pub(crate) ext_mat: Matrix<F>,
+    pub(crate) leaves: Vec<H::Output>,
+}
+
+impl<F, H> PCCommitmentState for LinCodePCCommitmentState<F, H>
+where
+    F: PrimeField,
+    H: CRHScheme,
+{
+    type Randomness = ();
+    fn empty() -> Self {
+        unimplemented!()
+    }
+
+    fn rand<R: RngCore>(
+        _num_queries: usize,
+        _has_degree_bound: bool,
+        _num_vars: Option<usize>,
+        _rng: &mut R,
+    ) -> Self::Randomness {
+        unimplemented!()
+    }
+}
+
+/// Proof of an individual linear code well-formedness check or opening
+#[derive(Derivative, CanonicalSerialize, CanonicalDeserialize)]
+#[derivative(Default(bound = ""), Clone(bound = ""), Debug(bound = ""))]
+pub(crate) struct LinCodePCProofSingle<F, C>
+where
+    F: PrimeField,
+    C: Config,
+{
+    /// For each of the indices in q, `paths` contains the path from the root of the merkle tree to the leaf
+    pub(crate) paths: Vec<Path<C>>,
+
+    /// v, s.t. E(v) = w
+    pub(crate) v: Vec<F>,
+
+    pub(crate) columns: Vec<Vec<F>>,
+}
+
+/// The Proof type for linear code PCS, which amounts to an array of individual proofs
+#[derive(Derivative, CanonicalSerialize, CanonicalDeserialize)]
+#[derivative(Default(bound = ""), Clone(bound = ""), Debug(bound = ""))]
+pub struct LinCodePCProof<F, C>
+where
+    F: PrimeField,
+    C: Config,
+{
+    pub(crate) opening: LinCodePCProofSingle<F, C>,
+    pub(crate) well_formedness: Option<Vec<F>>,
+}
+
+// Multiple poly at one point
+pub(crate) type LPCPArray<F, C> = Vec<LinCodePCProof<F, C>>;