Merge pull request #16 from WizardOfMenlo/recmo/merge-ldt

Merge PCS and LDT
WizardOfMenlo · Nov 26, 2024 · b2c5996 · b2c5996
2 parents 02608a9 + 6c74f85
commit b2c5996
Show file tree

Hide file tree

Showing 16 changed files with 271 additions and 1,801 deletions.
diff --git a/Cargo.toml b/Cargo.toml
@@ -7,7 +7,7 @@ edition = "2021"
 default-run = "main"
 
 [dependencies]
-ark-std = {version = "0.5", features = ["std"]}
+ark-std = { version = "0.5", features = ["std"] }
 ark-ff = { version = "0.5", features = ["asm", "std"] }
 ark-serialize = "0.5"
 ark-crypto-primitives = { version = "0.5", features = ["merkle_tree"] }
@@ -23,7 +23,7 @@ clap = { version = "4.4.17", features = ["derive"] }
 serde = { version = "1.0", features = ["derive"] }
 serde_json = "1.0"
 nimue = { git = "https://github.com/arkworks-rs/nimue", features = ["ark"] }
-nimue-pow = { git = "https://github.com/arkworks-rs/nimue"}
+nimue-pow = { git = "https://github.com/arkworks-rs/nimue" }
 lazy_static = "1.4"
 rayon = { version = "1.10.0", optional = true }
 

diff --git a/src/bin/benchmark.rs b/src/bin/benchmark.rs
@@ -19,7 +19,7 @@ use whir::{
     },
     parameters::*,
     poly_utils::coeffs::CoefficientList,
-    whir::Statement,
+    whir::{iopattern::WhirIOPattern, Statement},
 };
 
 use serde::Serialize;
@@ -228,6 +228,7 @@ fn run_whir<F, MerkleConfig>(
     let mv_params = MultivariateParameters::<F>::new(num_variables);
 
     let whir_params = WhirParameters::<MerkleConfig, PowStrategy> {
+        initial_statement: true,
         security_level,
         pow_bits,
         folding_factor,
@@ -253,11 +254,15 @@ fn run_whir<F, MerkleConfig>(
         whir_ldt_verifier_hashes,
     ) = {
         // Run LDT
-        use whir::whir_ldt::{
+        use whir::whir::{
             committer::Committer, iopattern::WhirIOPattern, parameters::WhirConfig, prover::Prover,
             verifier::Verifier, whir_proof_size,
         };
 
+        let whir_params = WhirParameters::<MerkleConfig, PowStrategy> {
+            initial_statement: false,
+            ..whir_params.clone()
+        };
         let params =
             WhirConfig::<F, MerkleConfig, PowStrategy>::new(mv_params, whir_params.clone());
         if !params.check_pow_bits() {
@@ -280,7 +285,9 @@ fn run_whir<F, MerkleConfig>(
 
         let prover = Prover(params.clone());
 
-        let proof = prover.prove(&mut merlin, witness).unwrap();
+        let proof = prover
+            .prove(&mut merlin, Statement::default(), witness)
+            .unwrap();
 
         let whir_ldt_prover_time = whir_ldt_prover_time.elapsed();
         let whir_ldt_argument_size = whir_proof_size(merlin.transcript(), &proof);
@@ -293,7 +300,9 @@ fn run_whir<F, MerkleConfig>(
         let whir_ldt_verifier_time = Instant::now();
         for _ in 0..reps {
             let mut arthur = io.to_arthur(merlin.transcript());
-            verifier.verify(&mut arthur, &proof).unwrap();
+            verifier
+                .verify(&mut arthur, &Statement::default(), &proof)
+                .unwrap();
         }
 
         let whir_ldt_verifier_time = whir_ldt_verifier_time.elapsed();

diff --git a/src/bin/main.rs b/src/bin/main.rs
@@ -15,6 +15,7 @@ use whir::{
     },
     parameters::*,
     poly_utils::{coeffs::CoefficientList, MultilinearPoint},
+    whir::Statement,
 };
 
 use nimue_pow::blake3::Blake3PoW;
@@ -199,9 +200,9 @@ fn run_whir_as_ldt<F, MerkleConfig>(
     MerkleConfig: Config<Leaf = [F]> + Clone,
     MerkleConfig::InnerDigest: AsRef<[u8]> + From<[u8; 32]>,
 {
-    use whir::whir_ldt::{
+    use whir::whir::{
         committer::Committer, iopattern::WhirIOPattern, parameters::WhirConfig, prover::Prover,
-        verifier::Verifier, whir_proof_size,
+        verifier::Verifier,
     };
 
     // Runs as a LDT
@@ -223,6 +224,7 @@ fn run_whir_as_ldt<F, MerkleConfig>(
     let mv_params = MultivariateParameters::<F>::new(num_variables);
 
     let whir_params = WhirParameters::<MerkleConfig, PowStrategy> {
+        initial_statement: false,
         security_level,
         pow_bits,
         folding_factor,
@@ -234,12 +236,11 @@ fn run_whir_as_ldt<F, MerkleConfig>(
         starting_log_inv_rate: starting_rate,
     };
 
-    let params = WhirConfig::<F, MerkleConfig, PowStrategy>::new(mv_params, whir_params);
+    let params = WhirConfig::<F, MerkleConfig, PowStrategy>::new(mv_params, whir_params.clone());
 
     let io = IOPattern::<DefaultHash>::new("🌪️")
         .commit_statement(&params)
-        .add_whir_proof(&params)
-        .clone();
+        .add_whir_proof(&params);
 
     let mut merlin = io.to_merlin();
 
@@ -265,19 +266,30 @@ fn run_whir_as_ldt<F, MerkleConfig>(
 
     let prover = Prover(params.clone());
 
-    let proof = prover.prove(&mut merlin, witness).unwrap();
+    let proof = prover
+        .prove(&mut merlin, Statement::default(), witness)
+        .unwrap();
 
     dbg!(whir_prover_time.elapsed());
-    dbg!(whir_proof_size(merlin.transcript(), &proof));
+
+    // Serialize proof
+    let transcript = merlin.transcript().to_vec();
+    let mut proof_bytes = vec![];
+    proof.serialize_compressed(&mut proof_bytes).unwrap();
+
+    let proof_size = transcript.len() + proof_bytes.len();
+    dbg!(proof_size);
 
     // Just not to count that initial inversion (which could be precomputed)
-    let verifier = Verifier::new(params);
+    let verifier = Verifier::new(params.clone());
 
     HashCounter::reset();
     let whir_verifier_time = Instant::now();
     for _ in 0..reps {
-        let mut arthur = io.to_arthur(merlin.transcript());
-        verifier.verify(&mut arthur, &proof).unwrap();
+        let mut arthur = io.to_arthur(&transcript);
+        verifier
+            .verify(&mut arthur, &Statement::default(), &proof)
+            .unwrap();
     }
     dbg!(whir_verifier_time.elapsed() / reps as u32);
     dbg!(HashCounter::get() as f64 / reps as f64);
@@ -317,6 +329,7 @@ fn run_whir_pcs<F, MerkleConfig>(
     let mv_params = MultivariateParameters::<F>::new(num_variables);
 
     let whir_params = WhirParameters::<MerkleConfig, PowStrategy> {
+        initial_statement: true,
         security_level,
         pow_bits,
         folding_factor,

diff --git a/src/lib.rs b/src/lib.rs
@@ -8,4 +8,3 @@ pub mod poly_utils; // Utils for polynomials
 pub mod sumcheck; // Sumcheck specialised
 pub mod utils; // Utils in general
 pub mod whir; // The real prover
-pub mod whir_ldt; // Whir as a LDT // Shared parameters
diff --git a/src/parameters.rs b/src/parameters.rs
@@ -101,6 +101,7 @@ pub struct WhirParameters<MerkleConfig, PowStrategy>
 where
     MerkleConfig: Config,
 {
+    pub initial_statement: bool,
     pub starting_log_inv_rate: usize,
     pub folding_factor: usize,
     pub soundness_type: SoundnessType,

diff --git a/src/whir/iopattern.rs b/src/whir/iopattern.rs
@@ -34,18 +34,28 @@ where
         params: &WhirConfig<F, MerkleConfig, PowStrategy>,
     ) -> Self {
         // TODO: Add params
-        self.add_bytes(32, "merkle_digest")
-            .add_ood(params.committment_ood_samples)
+        let mut this = self.add_bytes(32, "merkle_digest");
+        if params.committment_ood_samples > 0 {
+            assert!(params.initial_statement);
+            this = this.add_ood(params.committment_ood_samples);
+        }
+        this
     }
 
     fn add_whir_proof<MerkleConfig: Config, PowStrategy>(
         mut self,
         params: &WhirConfig<F, MerkleConfig, PowStrategy>,
     ) -> Self {
         // TODO: Add statement
-        self = self
-            .challenge_scalars(1, "initial_combination_randomness")
-            .add_sumcheck(params.folding_factor, params.starting_folding_pow_bits);
+        if params.initial_statement {
+            self = self
+                .challenge_scalars(1, "initial_combination_randomness")
+                .add_sumcheck(params.folding_factor, params.starting_folding_pow_bits);
+        } else {
+            self = self
+                .challenge_scalars(params.folding_factor, "folding_randomness")
+                .pow(params.starting_folding_pow_bits);
+        }
 
         let mut folded_domain_size = params.starting_domain.folded_size(params.folding_factor);
 

diff --git a/src/whir/mod.rs b/src/whir/mod.rs
@@ -10,7 +10,7 @@ pub mod prover;
 pub mod verifier;
 mod fs_utils;
 
-#[derive(Debug, Clone)]
+#[derive(Debug, Clone, Default)]
 pub struct Statement<F> {
     pub points: Vec<MultilinearPoint<F>>,
     pub evaluations: Vec<F>,
@@ -70,6 +70,7 @@ mod tests {
         let mv_params = MultivariateParameters::<F>::new(num_variables);
 
         let whir_params = WhirParameters::<MerkleConfig, PowStrategy> {
+            initial_statement: true,
             security_level: 32,
             pow_bits,
             folding_factor,

diff --git a/src/whir/parameters.rs b/src/whir/parameters.rs
@@ -22,6 +22,7 @@ where
     pub(crate) max_pow_bits: usize,
 
     pub(crate) committment_ood_samples: usize,
+    pub(crate) initial_statement: bool,
     pub(crate) starting_domain: Domain<F>,
     pub(crate) starting_log_inv_rate: usize,
     pub(crate) starting_folding_pow_bits: f64,
@@ -86,29 +87,47 @@ where
 
         let field_size_bits = F::field_size_in_bits();
 
-        let committment_ood_samples = Self::ood_samples(
-            whir_parameters.security_level,
-            whir_parameters.soundness_type,
-            mv_parameters.num_variables,
-            whir_parameters.starting_log_inv_rate,
-            Self::log_eta(
+        let committment_ood_samples = if whir_parameters.initial_statement {
+            Self::ood_samples(
+                whir_parameters.security_level,
                 whir_parameters.soundness_type,
+                mv_parameters.num_variables,
                 whir_parameters.starting_log_inv_rate,
-            ),
-            field_size_bits,
-        );
+                Self::log_eta(
+                    whir_parameters.soundness_type,
+                    whir_parameters.starting_log_inv_rate,
+                ),
+                field_size_bits,
+            )
+        } else {
+            0
+        };
 
-        let starting_folding_pow_bits = Self::folding_pow_bits(
-            whir_parameters.security_level,
-            whir_parameters.soundness_type,
-            field_size_bits,
-            mv_parameters.num_variables,
-            whir_parameters.starting_log_inv_rate,
-            Self::log_eta(
+        let starting_folding_pow_bits = if whir_parameters.initial_statement {
+            Self::folding_pow_bits(
+                whir_parameters.security_level,
                 whir_parameters.soundness_type,
+                field_size_bits,
+                mv_parameters.num_variables,
                 whir_parameters.starting_log_inv_rate,
-            ),
-        );
+                Self::log_eta(
+                    whir_parameters.soundness_type,
+                    whir_parameters.starting_log_inv_rate,
+                ),
+            )
+        } else {
+            let prox_gaps_error = Self::rbr_soundness_fold_prox_gaps(
+                whir_parameters.soundness_type,
+                field_size_bits,
+                mv_parameters.num_variables,
+                whir_parameters.starting_log_inv_rate,
+                Self::log_eta(
+                    whir_parameters.soundness_type,
+                    whir_parameters.starting_log_inv_rate,
+                ),
+            ) + (whir_parameters.folding_factor as f64).log2();
+            0_f64.max(whir_parameters.security_level as f64 - prox_gaps_error)
+        };
 
         let mut round_parameters = Vec::with_capacity(num_rounds);
         let mut num_variables = mv_parameters.num_variables - whir_parameters.folding_factor;
@@ -186,6 +205,7 @@ where
         WhirConfig {
             security_level: whir_parameters.security_level,
             max_pow_bits: whir_parameters.pow_bits,
+            initial_statement: whir_parameters.initial_statement,
             committment_ood_samples,
             mv_parameters,
             starting_domain,
@@ -240,13 +260,9 @@ where
         log_eta: f64,
     ) -> f64 {
         match soundness_type {
-            SoundnessType::ConjectureList => {
-
-                (num_variables + log_inv_rate) as f64 - log_eta
-            }
+            SoundnessType::ConjectureList => (num_variables + log_inv_rate) as f64 - log_eta,
             SoundnessType::ProvableList => {
                 let log_inv_sqrt_rate: f64 = log_inv_rate as f64 / 2.;
-
                 log_inv_sqrt_rate - (1. + log_eta)
             }
             SoundnessType::UniqueDecoding => 0.0,
@@ -385,7 +401,6 @@ where
         num_queries: usize,
     ) -> f64 {
         let num_queries = num_queries as f64;
-
 
         match soundness_type {
             SoundnessType::UniqueDecoding => {