From a806044b61c36d1ba19d696460a6e7b80fb76dd0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Antonio=20Mej=C3=ADas=20Gil?= Date: Mon, 13 Nov 2023 11:57:07 +0100 Subject: [PATCH 1/3] removed evaluation randomness from proof and ignored claimed value in check to make scheme hiding --- poly-commit/src/hyrax/data_structures.rs | 4 --- poly-commit/src/hyrax/mod.rs | 36 ++---------------------- 2 files changed, 2 insertions(+), 38 deletions(-) diff --git a/poly-commit/src/hyrax/data_structures.rs b/poly-commit/src/hyrax/data_structures.rs index 57a068d7..fbdd69a9 100644 --- a/poly-commit/src/hyrax/data_structures.rs +++ b/poly-commit/src/hyrax/data_structures.rs @@ -111,8 +111,4 @@ pub struct HyraxProof { pub z_d: G::ScalarField, /// Auxiliary random scalar pub z_b: G::ScalarField, - /// The hiding scalar r_eval is not part of a Hyrax PCS proof as described - /// in the reference article. Cf. the "Modification note" at the beginning - /// of `mod.rs` - pub r_eval: G::ScalarField, } diff --git a/poly-commit/src/hyrax/mod.rs b/poly-commit/src/hyrax/mod.rs index 6ce4a444..a9122a46 100644 --- a/poly-commit/src/hyrax/mod.rs +++ b/poly-commit/src/hyrax/mod.rs @@ -36,26 +36,9 @@ pub const PROTOCOL_NAME: &'static [u8] = b"Hyrax protocol"; /// [[WTsTW17]][hyrax]. /// /// [hyrax]: https://eprint.iacr.org/2017/1132.pdf -/// -/// ### Modification note -/// -/// In the PCS contained in the cited article, the verifier never learns the -/// actual evaluation of the polynomial at the requested point, but is instead -/// convinced that a previously received Pedersen commitment is indeed a -/// commitment to said evaluation - this is what the SNARK proposed therein -/// necessitates. However, the Arkworks framework requies the verifier to -/// actually learn that value, which is why we have added the opening of -/// the commitment at the end of the protocol. This likely does not result in -/// an optimal non-hiding PCS, but we feel it is the most faithful adaptation -/// of the original PCS that can be implemented with the current restrictions. -/// +/// /// ### Future optimisations /// -/// - Deal with the modification described above: either modify the PCS trait -/// to encompass hiding PCSs (in terms of the actual evaluation, not only -/// the polynomial), or turn this scheme into a non-hiding one by removing -/// unnecessary work (which would probably involve non-trivial theoretical -/// work). /// - Add parallelisation. There is at least one natural place where /// parallelisation could bring performance gains: in essence, the prover /// commits to the polynomial by expressing it as an evaluation matrix and @@ -437,12 +420,6 @@ impl> let z_d = c * r_lt + r_d; let z_b = c * r_eval + r_b; - // ******** Opening ******** - // This is *not* part of the Hyrax PCS as described in the reference - // article. Cf. the "Modification note" at the beginning of this file. - // From the prover's perspective, opening amounts to adding r_eval to - // the proof. - proofs.push(HyraxProof { com_eval, com_d, @@ -450,7 +427,6 @@ impl> z, z_d, z_b, - r_eval, }); } @@ -504,7 +480,7 @@ impl> let l = tensor_prime(point_lower); let r = tensor_prime(point_upper); - for (com, (claim, h_proof)) in commitments + for (com, (_, h_proof)) in commitments .into_iter() .zip(values.into_iter().zip(proof.iter())) { @@ -518,7 +494,6 @@ impl> z, z_d, z_b, - r_eval, } = h_proof; if row_coms.len() != 1 << n / 2 { @@ -569,13 +544,6 @@ impl> if com_dp != (com_eval.mul(c) + com_b).into() { return Ok(false); } - - // Third check: opening - let exp = Self::pedersen_commit(vk, &[claim], Some(*r_eval), None).0; - - if *com_eval != exp { - return Ok(false); - } } Ok(true) From fd72f6a9ea1680effd525437eb32d89330806a2d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Antonio=20Mej=C3=ADas=20Gil?= Date: Mon, 13 Nov 2023 12:00:17 +0100 Subject: [PATCH 2/3] fmt --- poly-commit/src/hyrax/mod.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/poly-commit/src/hyrax/mod.rs b/poly-commit/src/hyrax/mod.rs index a9122a46..bab22dad 100644 --- a/poly-commit/src/hyrax/mod.rs +++ b/poly-commit/src/hyrax/mod.rs @@ -36,7 +36,7 @@ pub const PROTOCOL_NAME: &'static [u8] = b"Hyrax protocol"; /// [[WTsTW17]][hyrax]. /// /// [hyrax]: https://eprint.iacr.org/2017/1132.pdf -/// +/// /// ### Future optimisations /// /// - Add parallelisation. There is at least one natural place where From 289f789267fb5e5e8d4546bd87b3f59b89e2b96d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Antonio=20Mej=C3=ADas=20Gil?= Date: Mon, 13 Nov 2023 12:21:00 +0100 Subject: [PATCH 3/3] removed unnecessary usage of argument in check, added _ --- poly-commit/src/hyrax/mod.rs | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/poly-commit/src/hyrax/mod.rs b/poly-commit/src/hyrax/mod.rs index bab22dad..67937470 100644 --- a/poly-commit/src/hyrax/mod.rs +++ b/poly-commit/src/hyrax/mod.rs @@ -448,7 +448,7 @@ impl> vk: &Self::VerifierKey, commitments: impl IntoIterator>, point: &'a P::Point, - values: impl IntoIterator, + _values: impl IntoIterator, proof: &Self::Proof, // Not used and not generic on the cryptographic sponge S _opening_challenges: &mut ChallengeGenerator< @@ -480,10 +480,7 @@ impl> let l = tensor_prime(point_lower); let r = tensor_prime(point_upper); - for (com, (_, h_proof)) in commitments - .into_iter() - .zip(values.into_iter().zip(proof.iter())) - { + for (com, h_proof) in commitments.into_iter().zip(proof.iter()) { let row_coms = &com.commitment().row_coms; // extract each field from h_proof