Make Hyrax hiding again

Cargo.toml

@@ -31,8 +31,11 @@ debug = true
 ark-ff = { git = "https://github.com/arkworks-rs/algebra/" }
 ark-ec = { git = "https://github.com/arkworks-rs/algebra/" }
 ark-serialize = { git = "https://github.com/arkworks-rs/algebra/" }
+ark-poly = { git = "https://github.com/arkworks-rs/algebra/" }
+
 ark-crypto-primitives = { git = "https://github.com/arkworks-rs/crypto-primitives" }
 ark-r1cs-std = { git = "https://github.com/arkworks-rs/r1cs-std/" }
 
 ark-bls12-377 = { git = "https://github.com/arkworks-rs/curves/" }
 ark-bls12-381 = { git = "https://github.com/arkworks-rs/curves/" }
+ark-bn254 = { git = "https://github.com/arkworks-rs/curves/" }

README.md

@@ -186,6 +186,8 @@ Unless you explicitly state otherwise, any contribution that you submit to this
 [aurora-light]: https://ia.cr/2019/601
 [pcd-acc]: https://ia.cr/2020/499
 [pst]: https://ia.cr/2011/587
+[ligero]: https://ia.cr/2022/1608
+[hyrax]: https://eprint.iacr.org/2017/1132
 
 ## Reference papers
 
@@ -213,6 +215,14 @@ TCC 2020
 Charalampos Papamanthou, Elaine Shi, Roberto Tamassia   
 TCC 2013
 
+[Ligero: Lightweight Sublinear Arguments Without a Trusted Setup][ligero]    
+Scott Ames, Carmit Hazay, Yuval Ishai, Muthuramakrishnan Venkitasubramaniam    
+CCS 2017
+
+[Doubly-efficient zkSNARKs without trusted setup][hyrax]
+Riad S. Wahby, Ioanna Tzialla, abhi shelat, Justin Thaler, Michael Walfish
+2018 IEEE Symposium on Security and Privacy
+
 ## Acknowledgements
 
 This work was supported by: an Engineering and Physical Sciences Research Council grant; a Google Faculty Award; the RISELab at UC Berkeley; and donations from the Ethereum Foundation and the Interchain Foundation.

bench-templates/src/lib.rs

@@ -30,8 +30,10 @@ pub fn bench_pcs_method<
         &PCS::VerifierKey,
         usize,
         fn(usize, &mut ChaCha20Rng) -> P,
+        fn(usize, &mut ChaCha20Rng) -> P::Point,
     ) -> Duration,
     rand_poly: fn(usize, &mut ChaCha20Rng) -> P,
+    rand_point: fn(usize, &mut ChaCha20Rng) -> P::Point,
 ) {
     let mut group = c.benchmark_group(msg);
     let rng = &mut ChaCha20Rng::from_rng(test_rng()).unwrap();
@@ -44,7 +46,13 @@ pub fn bench_pcs_method<
             BenchmarkId::from_parameter(num_vars),
             &num_vars,
             |b, num_vars| {
-                b.iter(|| method(&ck, &vk, *num_vars, rand_poly));
+                b.iter_custom(|i| {
+                    let mut time = Duration::from_nanos(0);
+                    for _ in 0..i {
+                        time += method(&ck, &vk, *num_vars, rand_poly, rand_point);
+                    }
+                    time
+                });
             },
         );
     }
@@ -62,6 +70,7 @@ pub fn commit<
     _vk: &PCS::VerifierKey,
     num_vars: usize,
     rand_poly: fn(usize, &mut ChaCha20Rng) -> P,
+    _rand_point: fn(usize, &mut ChaCha20Rng) -> P::Point,
 ) -> Duration {
     let rng = &mut ChaCha20Rng::from_rng(test_rng()).unwrap();
 
@@ -102,20 +111,20 @@ pub fn open<F, P, PCS>(
     _vk: &PCS::VerifierKey,
     num_vars: usize,
     rand_poly: fn(usize, &mut ChaCha20Rng) -> P,
+    rand_point: fn(usize, &mut ChaCha20Rng) -> P::Point,
 ) -> Duration
 where
     F: PrimeField,
     P: Polynomial<F>,
     PCS: PolynomialCommitment<F, P, PoseidonSponge<F>>,
-    P::Point: UniformRand,
 {
     let rng = &mut ChaCha20Rng::from_rng(test_rng()).unwrap();
 
     let labeled_poly =
         LabeledPolynomial::new("test".to_string(), rand_poly(num_vars, rng), None, None);
 
     let (coms, randomness) = PCS::commit(&ck, [&labeled_poly], Some(rng)).unwrap();
-    let point = P::Point::rand(rng);
+    let point = rand_point(num_vars, rng);
 
     let start = Instant::now();
     let _ = PCS::open(
@@ -173,20 +182,20 @@ pub fn verify<F, P, PCS>(
     vk: &PCS::VerifierKey,
     num_vars: usize,
     rand_poly: fn(usize, &mut ChaCha20Rng) -> P,
+    rand_point: fn(usize, &mut ChaCha20Rng) -> P::Point,
 ) -> Duration
 where
     F: PrimeField,
     P: Polynomial<F>,
     PCS: PolynomialCommitment<F, P, PoseidonSponge<F>>,
-    P::Point: UniformRand,
 {
     let rng = &mut ChaCha20Rng::from_rng(test_rng()).unwrap();
 
     let labeled_poly =
         LabeledPolynomial::new("test".to_string(), rand_poly(num_vars, rng), None, None);
 
     let (coms, randomness) = PCS::commit(&ck, [&labeled_poly], Some(rng)).unwrap();
-    let point = P::Point::rand(rng);
+    let point = rand_point(num_vars, rng);
     let claimed_eval = labeled_poly.evaluate(&point);
     let proof = PCS::open(
         &ck,
@@ -243,7 +252,7 @@ fn test_sponge<F: PrimeField>() -> PoseidonSponge<F> {
 
 #[macro_export]
 macro_rules! bench_method {
-    ($c:expr, $method:ident, $scheme_type:ty, $rand_poly:ident) => {
+    ($c:expr, $method:ident, $scheme_type:ty, $rand_poly:ident, $rand_point:ident) => {
         let scheme_type_str = stringify!($scheme_type);
         let bench_name = format!("{} {}", stringify!($method), scheme_type_str);
         bench_pcs_method::<_, _, $scheme_type>(
@@ -252,19 +261,20 @@ macro_rules! bench_method {
             &bench_name,
             $method::<_, _, $scheme_type>,
             $rand_poly::<_>,
+            $rand_point::<_>,
         );
     };
 }
 
 #[macro_export]
 macro_rules! bench {
     (
-        $scheme_type:ty, $rand_poly:ident
+        $scheme_type:ty, $rand_poly:ident, $rand_point:ident
     ) => {
         fn bench_pcs(c: &mut Criterion) {
-            bench_method!(c, commit, $scheme_type, $rand_poly);
-            bench_method!(c, open, $scheme_type, $rand_poly);
-            bench_method!(c, verify, $scheme_type, $rand_poly);
+            bench_method!(c, commit, $scheme_type, $rand_poly, $rand_point);
+            bench_method!(c, open, $scheme_type, $rand_poly, $rand_point);
+            bench_method!(c, verify, $scheme_type, $rand_poly, $rand_point);
         }
 
         criterion_group!(benches, bench_pcs);

poly-commit/Cargo.toml

@@ -15,18 +15,25 @@ ark-ec = { version = "^0.4.0", default-features = false }
 ark-poly = {version = "^0.4.0", default-features = false }
 ark-crypto-primitives = {version = "^0.4.0", default-features = false, features = ["sponge", "merkle_tree"] }
 ark-std = { version = "^0.4.0", default-features = false }
-
+blake2 = { version = "0.10", default-features = false }
+merlin = { version = "3.0.0", default-features = false }
+rand = { version = "0.8.0", optional = true }
 ark-relations = { version = "^0.4.0", default-features = false, optional = true }
 ark-r1cs-std = { version = "^0.4.0", default-features = false, optional = true }
-hashbrown = { version = "0.13", default-features = false, optional = true }
 
 digest = "0.10"
 derivative = { version = "2", features = [ "use_core" ] }
 rayon = { version = "1", optional = true }
+hashbrown = { version = "0.14", default-features = false, optional = true }
 
 [[bench]]
-name = "pcs"
-path = "benches/pcs.rs"
+name = "ipa_times"
+path = "benches/ipa_times.rs"
+harness = false
+
+[[bench]]
+name = "hyrax_times"
+path = "benches/hyrax_times.rs"
 harness = false
 
 [[bench]]
@@ -38,7 +45,8 @@ harness = false
 ark-ed-on-bls12-381 = { version = "^0.4.0", default-features = false }
 ark-bls12-381 = { version = "^0.4.0", default-features = false, features = [ "curve" ] }
 ark-bls12-377 = { version = "^0.4.0", default-features = false, features = [ "curve" ] }
-blake2 = { version = "0.10", default-features = false }
+ark-bn254 = { version = "^0.4.0", default-features = false, features = [ "curve" ] }
+
 rand_chacha = { version = "0.3.0", default-features = false }
 ark-pcs-bench-templates = { path = "../bench-templates" }
 
@@ -47,4 +55,4 @@ default = [ "std", "parallel" ]
 std = [ "ark-ff/std", "ark-ec/std", "ark-poly/std", "ark-std/std", "ark-relations/std", "ark-serialize/std", "ark-crypto-primitives/std"]
 r1cs = [ "ark-relations", "ark-r1cs-std", "hashbrown", "ark-crypto-primitives/r1cs"]
 print-trace = [ "ark-std/print-trace" ]
-parallel = [ "std", "ark-ff/parallel", "ark-ec/parallel", "ark-poly/parallel", "ark-std/parallel", "rayon" ]
+parallel = [ "std", "ark-ff/parallel", "ark-ec/parallel", "ark-poly/parallel", "ark-std/parallel", "rayon", "rand" ]

poly-commit/README.md

@@ -56,6 +56,16 @@ EUROCRYPT 2020
 Aniket Kate, Gregory M. Zaverucha, Ian Goldberg     
 ASIACRYPT 2010
 
+### Hyrax multilinear PC
+
+Polynomial commitment scheme introduced together with the Hyrax zkSNARK (in [this](https://eprint.iacr.org/2017/1132) article). It is based on Pedersen commitments and therefore relies on the difficulty of the discrete logarithm problem in order to provide a hiding PCS.
+
+[Doubly-efficient zkSNARKs without trusted setup][hyrax]
+Riad S. Wahby, Ioanna Tzialla, abhi shelat, Justin Thaler, Michael Walfish
+2018 IEEE Symposium on Security and Privacy
+
+[hyrax]: https://eprint.iacr.org/2017/1132
+
 ### Marlin variant of the Papamanthou-Shi-Tamassia multivariate PC
 
 Multivariate polynomial commitment based on the construction in the Papamanthou-Shi-Tamassia construction with batching and (optional) hiding property inspired by the univariate scheme in Marlin.

poly-commit/benches/hyrax_times.rs

@@ -0,0 +1,27 @@
+use ark_pcs_bench_templates::*;
+use ark_poly::{DenseMultilinearExtension, MultilinearExtension};
+
+use ark_bn254::{Fr, G1Affine};
+use ark_ff::PrimeField;
+use ark_poly_commit::hyrax::HyraxPC;
+
+use rand_chacha::ChaCha20Rng;
+
+// Hyrax PCS over BN254
+type Hyrax254 = HyraxPC<G1Affine, DenseMultilinearExtension<Fr>>;
+
+fn rand_poly_hyrax<F: PrimeField>(
+    num_vars: usize,
+    rng: &mut ChaCha20Rng,
+) -> DenseMultilinearExtension<F> {
+    DenseMultilinearExtension::rand(num_vars, rng)
+}
+
+fn rand_point_hyrax<F: PrimeField>(num_vars: usize, rng: &mut ChaCha20Rng) -> Vec<F> {
+    (0..num_vars).map(|_| F::rand(rng)).collect()
+}
+
+const MIN_NUM_VARS: usize = 12;
+const MAX_NUM_VARS: usize = 22;
+
+bench!(Hyrax254, rand_poly_hyrax, rand_point_hyrax);

poly-commit/benches/pcs.rs → poly-commit/benches/ipa_times.rs

@@ -22,7 +22,11 @@ fn rand_poly_ipa_pc<F: PrimeField>(degree: usize, rng: &mut ChaCha20Rng) -> Dens
     DenseUnivariatePoly::rand(degree, rng)
 }
 
+fn rand_point_ipa_pc<F: PrimeField>(_: usize, rng: &mut ChaCha20Rng) -> F {
+    F::rand(rng)
+}
+
 const MIN_NUM_VARS: usize = 10;
 const MAX_NUM_VARS: usize = 20;
 
-bench!(IPA_JubJub, rand_poly_ipa_pc);
+bench!(IPA_JubJub, rand_poly_ipa_pc, rand_point_ipa_pc);

poly-commit/src/error.rs

@@ -93,6 +93,49 @@ pub enum Error {
         /// Index of the offending polynomial.
         label: String,
     },
+
+    /// This means a failure in verifying the commitment or the opening.
+    InvalidCommitment,
+
+    /// This means during opening or verification, a commitment of incorrect
+    /// size (for example, with an insufficient number of entries) was
+    /// encountered
+    IncorrectCommitmentSize {
+        /// Encountered commitment size
+        encountered: usize,
+        /// Expected commitment size
+        expected: usize,
+    },
+
+    /// For PCS which rely on Fiat-Shamir to be rendered non-interactive,
+    /// these are errors that result from incorrect transcript manipulation.
+    TranscriptError,
+
+    /// This means the required soundness error bound is inherently impossible.
+    /// E.g., the field is not big enough.
+    InvalidParameters(String),
+
+    /// Error resulting from hashing in linear code - based PCS.
+    HashingError,
+
+    /// This means a commitment with a certain label was matched with a
+    /// a polynomial which has a different label - which shouldn't happen
+    MismatchedLabels {
+        /// The label of the commitment
+        commitment_label: String,
+        /// The label of the polynomial
+        polynomial_label: String,
+    },
+
+    /// This means multivariate polynomial with a certain number of variables
+    /// was matched (for instance, during commitment, opening or verification)
+    /// to a point with a different number of variables.
+    MismatchedNumVars {
+        /// The number of variables of the polynomial
+        poly_nv: usize,
+        /// The number of variables of the point
+        point_nv: usize,
+    },
 }
 
 impl core::fmt::Display for Error {
@@ -179,6 +222,28 @@ impl core::fmt::Display for Error {
                 support up to degree ({:?})", label, poly_degree, supported_degree
             ),
             Error::IncorrectInputLength(err) => write!(f, "{}", err),
+            Error::InvalidCommitment => write!(f, "Failed to verify the commitment"),
+            Error::IncorrectCommitmentSize {
+                encountered,
+                expected,
+            } => write!(
+                f,
+                "the commitment has size {}, but size {} was expected",
+                encountered, expected
+            ),
+            Error::TranscriptError => write!(f, "Incorrect transcript manipulation"),
+            Error::InvalidParameters(err) => write!(f, "{}", err),
+            Error::HashingError => write!(f, "Error resulting from hashing"),
+            Error::MismatchedLabels { commitment_label, polynomial_label } =>
+                write!(f, "Mismatched labels: commitment label: {}, polynomial label: {}",
+                    commitment_label,
+                    polynomial_label
+                ),
+            Error::MismatchedNumVars { poly_nv, point_nv } =>
+                write!(f, "Mismatched number of variables: polynomial has {}, point has {}",
+                    poly_nv,
+                    point_nv,
+                ),
         }
     }
 }