Add CycleFoldCommittedInstanceVar::new_incoming_from_components to simplify the construction of incoming CF instances

winderica · winderica · commit bb0dd4f20a13 · 2024-09-11T23:45:52.000+08:00
diff --git a/folding-schemes/src/folding/circuits/cyclefold.rs b/folding-schemes/src/folding/circuits/cyclefold.rs
@@ -15,12 +15,12 @@ use ark_r1cs_std::{
 use ark_relations::r1cs::{
     ConstraintSynthesizer, ConstraintSystem, ConstraintSystemRef, Namespace, SynthesisError,
 };
-use ark_std::fmt::Debug;
-use ark_std::rand::RngCore;
-use ark_std::Zero;
-use core::{borrow::Borrow, marker::PhantomData};
+use ark_std::{borrow::Borrow, fmt::Debug, marker::PhantomData, rand::RngCore, One, Zero};
 
-use super::{nonnative::uint::NonNativeUintVar, CF1, CF2};
+use super::{
+    nonnative::{affine::NonNativeAffineVar, uint::NonNativeUintVar},
+    CF1, CF2,
+};
 use crate::arith::r1cs::{extract_w_x, R1CS};
 use crate::commitment::CommitmentScheme;
 use crate::constants::NOVA_N_BITS_RO;
@@ -46,6 +46,7 @@ where
     pub cmW: GC,
     pub x: Vec<NonNativeUintVar<CF2<C>>>,
 }
+
 impl<C, GC> AllocVar<CycleFoldCommittedInstance<C>, CF2<C>> for CycleFoldCommittedInstanceVar<C, GC>
 where
     C: CurveGroup,
@@ -127,6 +128,45 @@ where
     }
 }
 
+impl<C2, GC2> CycleFoldCommittedInstanceVar<C2, GC2>
+where
+    C2: CurveGroup,
+    GC2: CurveVar<C2, CF2<C2>> + ToConstraintFieldGadget<CF2<C2>>,
+    C2::BaseField: PrimeField,
+    for<'a> &'a GC2: GroupOpsBounds<'a, C2, GC2>,
+{
+    /// Creates a new `CycleFoldCommittedInstanceVar` from the given components.
+    pub fn new_incoming_from_components<C1: CurveGroup<ScalarField = C2::BaseField>>(
+        cmW: GC2,
+        r_bits: &[Boolean<CF2<C2>>],
+        points: Vec<NonNativeAffineVar<C1>>,
+    ) -> Result<Self, SynthesisError> {
+        // Construct the public inputs `x` from `r_bits` and `points`.
+        // Note that the underlying field can only safely store
+        // `CF1::<C2>::MODULUS_BIT_SIZE - 1` bits, but `r_bits` may be longer
+        // than that.
+        // Thus, we need to chunk `r_bits` into pieces and convert each piece
+        // to a `NonNativeUintVar`.
+        let x = r_bits
+            .chunks(CF1::<C2>::MODULUS_BIT_SIZE as usize - 1)
+            .map(|bits| {
+                let mut bits = bits.to_vec();
+                bits.resize(CF1::<C2>::MODULUS_BIT_SIZE as usize, Boolean::FALSE);
+                NonNativeUintVar::from(&bits)
+            })
+            .chain(points.into_iter().flat_map(|p| [p.x, p.y]))
+            .collect::<Vec<_>>();
+        Ok(Self {
+            // `cmE` is always zero for incoming instances
+            cmE: GC2::zero(),
+            // `u` is always one for incoming instances
+            u: NonNativeUintVar::new_constant(ConstraintSystemRef::None, CF1::<C2>::one())?,
+            cmW,
+            x,
+        })
+    }
+}
+
 impl<C: CurveGroup> CycleFoldCommittedInstance<C>
 where
     <C as ark_ec::CurveGroup>::BaseField: ark_ff::PrimeField + Absorb,
diff --git a/folding-schemes/src/folding/hypernova/circuits.rs b/folding-schemes/src/folding/hypernova/circuits.rs
@@ -35,7 +35,7 @@ use crate::folding::{
             CycleFoldChallengeGadget, CycleFoldCommittedInstance, CycleFoldCommittedInstanceVar,
             CycleFoldConfig, NIFSFullGadget,
         },
-        nonnative::{affine::NonNativeAffineVar, uint::NonNativeUintVar},
+        nonnative::affine::NonNativeAffineVar,
         sum_check::{IOPProofVar, SumCheckVerifierGadget, VPAuxInfoVar},
         utils::EqEvalGadget,
         CF1, CF2,
@@ -812,41 +812,22 @@ where
         let x = FpVar::new_input(cs.clone(), || Ok(self.x.unwrap_or(u_i1_x_base.value()?)))?;
         x.enforce_equal(&is_basecase.select(&u_i1_x_base, &u_i1_x)?)?;
 
-        // convert rho_bits of the rho_vec to a `NonNativeFieldVar`
-        let mut rho_bits_resized = rho_bits.clone();
-        rho_bits_resized.resize(C1::BaseField::MODULUS_BIT_SIZE as usize, Boolean::FALSE);
-        let rho_nonnat = NonNativeUintVar::from(&rho_bits_resized);
-
         // CycleFold part
-        // C.1. Compute cf1_u_i.x and cf2_u_i.x
-        let cf_x: Vec<NonNativeUintVar<CF2<C2>>> = [
-            vec![rho_nonnat],
+        // C.1. Compute `cf_u_i.x`
+        // C.2. Construct `cf_u_i`
+        let cf_u_i = CycleFoldCommittedInstanceVar::new_incoming_from_components(
+            // `cf_u_i.cmW` is provided by the prover as witness.
+            GC2::new_witness(cs.clone(), || Ok(self.cf_u_i_cmW.unwrap_or(C2::zero())))?,
+            // The computation of `cf_u_i.x` requires the randomness `rho_bits`
+            // and the commitments `C` in LCCCS and CCCS instances.
+            &rho_bits,
             all_Us
-                .iter()
-                .flat_map(|U| vec![U.C.x.clone(), U.C.y.clone()])
+                .into_iter()
+                .map(|U| U.C)
+                .chain(all_us.into_iter().map(|u| u.C))
+                .chain(vec![U_i1.C])
                 .collect(),
-            all_us
-                .iter()
-                .flat_map(|u| vec![u.C.x.clone(), u.C.y.clone()])
-                .collect(),
-            vec![U_i1.C.x, U_i1.C.y],
-        ]
-        .concat();
-
-        // ensure that cf_u has as public inputs the C from main instances U_i, u_i, U_i+1
-        // coordinates of the commitments.
-        // C.2. Construct `cf_u_i`
-        let cf_u_i = CycleFoldCommittedInstanceVar::<C2, GC2> {
-            // cf1_u_i.cmE = 0. Notice that we enforce cmE to be equal to 0 since it is allocated
-            // as 0.
-            cmE: GC2::zero(),
-            // cf1_u_i.u = 1
-            u: NonNativeUintVar::new_constant(cs.clone(), C1::BaseField::one())?,
-            // cf_u_i.cmW is provided by the prover as witness
-            cmW: GC2::new_witness(cs.clone(), || Ok(self.cf_u_i_cmW.unwrap_or(C2::zero())))?,
-            // cf_u_i.x is computed in step 1
-            x: cf_x,
-        };
+        )?;
 
         // C.3. nifs.verify (fold_committed_instance), obtains cf_U_{i+1} by folding cf_u_i & cf_U_i.
         // compute cf_r = H(cf_u_i, cf_U_i, cf_cmT)
diff --git a/folding-schemes/src/folding/nova/circuits.rs b/folding-schemes/src/folding/nova/circuits.rs
@@ -17,7 +17,7 @@ use ark_r1cs_std::{
     R1CSVar, ToConstraintFieldGadget,
 };
 use ark_relations::r1cs::{ConstraintSynthesizer, ConstraintSystemRef, Namespace, SynthesisError};
-use ark_std::{fmt::Debug, One, Zero};
+use ark_std::{fmt::Debug, Zero};
 use core::{borrow::Borrow, marker::PhantomData};
 
 use super::{CommittedInstance, NovaCycleFoldConfig};
@@ -27,7 +27,7 @@ use crate::folding::circuits::{
         CycleFoldChallengeGadget, CycleFoldCommittedInstance, CycleFoldCommittedInstanceVar,
         CycleFoldConfig, NIFSFullGadget,
     },
-    nonnative::{affine::NonNativeAffineVar, uint::NonNativeUintVar},
+    nonnative::affine::NonNativeAffineVar,
     CF1, CF2,
 };
 use crate::frontend::FCircuit;
@@ -405,12 +405,6 @@ where
             cmT.clone(),
         )?;
         let r = Boolean::le_bits_to_fp_var(&r_bits)?;
-        // Also convert r_bits to a `NonNativeFieldVar`
-        let r_nonnat = {
-            let mut bits = r_bits;
-            bits.resize(C1::BaseField::MODULUS_BIT_SIZE as usize, Boolean::FALSE);
-            NonNativeUintVar::from(&bits)
-        };
 
         // Notice that NIFSGadget::fold_committed_instance does not fold cmE & cmW.
         // We set `U_i1.cmE` and `U_i1.cmW` to unconstrained witnesses `U_i1_cmE` and `U_i1_cmW`
@@ -442,42 +436,24 @@ where
 
         // CycleFold part
         // C.1. Compute cf1_u_i.x and cf2_u_i.x
-        let cfW_x = vec![
-            r_nonnat.clone(),
-            U_i.cmW.x,
-            U_i.cmW.y,
-            u_i.cmW.x,
-            u_i.cmW.y,
-            U_i1.cmW.x,
-            U_i1.cmW.y,
-        ];
-        let cfE_x = vec![
-            r_nonnat, U_i.cmE.x, U_i.cmE.y, cmT.x, cmT.y, U_i1.cmE.x, U_i1.cmE.y,
-        ];
-
-        // ensure that cf1_u & cf2_u have as public inputs the cmW & cmE from main instances U_i,
-        // u_i, U_i+1 coordinates of the commitments
         // C.2. Construct `cf1_u_i` and `cf2_u_i`
-        let cf1_u_i = CycleFoldCommittedInstanceVar {
-            // cf1_u_i.cmE = 0
-            cmE: GC2::zero(),
-            // cf1_u_i.u = 1
-            u: NonNativeUintVar::new_constant(cs.clone(), C1::BaseField::one())?,
-            // cf1_u_i.cmW is provided by the prover as witness
-            cmW: GC2::new_witness(cs.clone(), || Ok(self.cf1_u_i_cmW.unwrap_or(C2::zero())))?,
-            // cf1_u_i.x is computed in step 1
-            x: cfW_x,
-        };
-        let cf2_u_i = CycleFoldCommittedInstanceVar {
-            // cf2_u_i.cmE = 0
-            cmE: GC2::zero(),
-            // cf2_u_i.u = 1
-            u: NonNativeUintVar::new_constant(cs.clone(), C1::BaseField::one())?,
-            // cf2_u_i.cmW is provided by the prover as witness
-            cmW: GC2::new_witness(cs.clone(), || Ok(self.cf2_u_i_cmW.unwrap_or(C2::zero())))?,
-            // cf2_u_i.x is computed in step 1
-            x: cfE_x,
-        };
+        let cf1_u_i = CycleFoldCommittedInstanceVar::new_incoming_from_components(
+            // `cf1_u_i.cmW` is provided by the prover as witness.
+            GC2::new_witness(cs.clone(), || Ok(self.cf1_u_i_cmW.unwrap_or(C2::zero())))?,
+            // The computation of `cf1_u_i.x` requires the randomness `r_bits`
+            // and the commitments `cmW` in CommittedInstances.
+            &r_bits,
+            vec![U_i.cmW, u_i.cmW, U_i1.cmW],
+        )?;
+        let cf2_u_i = CycleFoldCommittedInstanceVar::new_incoming_from_components(
+            // `cf2_u_i.cmW` is provided by the prover as witness.
+            GC2::new_witness(cs.clone(), || Ok(self.cf2_u_i_cmW.unwrap_or(C2::zero())))?,
+            // The computation of `cf2_u_i.x` requires the randomness `r_bits`,
+            // the commitments `cmE` in CommittedInstances, and the cross term
+            // commitment `cmT`.
+            &r_bits,
+            vec![U_i.cmE, cmT, U_i1.cmE],
+        )?;
 
         // C.3. nifs.verify, obtains cf1_U_{i+1} by folding cf1_u_i & cf_U_i, and then cf_U_{i+1}
         // by folding cf2_u_i & cf1_U_{i+1}.
diff --git a/folding-schemes/src/folding/protogalaxy/circuits.rs b/folding-schemes/src/folding/protogalaxy/circuits.rs
@@ -8,15 +8,14 @@ use ark_ff::PrimeField;
 use ark_poly::{univariate::DensePolynomial, EvaluationDomain, GeneralEvaluationDomain};
 use ark_r1cs_std::{
     alloc::AllocVar,
-    boolean::Boolean,
     eq::EqGadget,
     fields::{fp::FpVar, FieldVar},
     groups::{CurveVar, GroupOpsBounds},
     poly::polynomial::univariate::dense::DensePolynomialVar,
     R1CSVar, ToBitsGadget, ToConstraintFieldGadget,
 };
 use ark_relations::r1cs::{ConstraintSynthesizer, ConstraintSystemRef, SynthesisError};
-use ark_std::{fmt::Debug, marker::PhantomData, One, Zero};
+use ark_std::{fmt::Debug, marker::PhantomData, Zero};
 
 use super::{
     folding::lagrange_polys,
@@ -29,7 +28,7 @@ use crate::{
             CycleFoldChallengeGadget, CycleFoldCommittedInstance, CycleFoldCommittedInstanceVar,
             CycleFoldConfig, NIFSFullGadget,
         },
-        nonnative::{affine::NonNativeAffineVar, uint::NonNativeUintVar},
+        nonnative::affine::NonNativeAffineVar,
         CF1, CF2,
     },
     frontend::FCircuit,
@@ -165,7 +164,7 @@ impl AugmentationGadget {
         Ok((U, L_X_evals))
     }
 
-    pub fn prepare_and_fold_cyclefold<
+    pub fn fold_cyclefold<
         C1: CurveGroup<BaseField = C2::ScalarField, ScalarField = C2::BaseField>,
         C2: CurveGroup,
         GC2: CurveVar<C2, CF2<C2>> + ToConstraintFieldGadget<CF2<C2>>,
@@ -174,32 +173,19 @@ impl AugmentationGadget {
         transcript: &mut PoseidonSpongeVar<CF1<C1>>,
         pp_hash: FpVar<CF1<C1>>,
         mut cf_U: CycleFoldCommittedInstanceVar<C2, GC2>,
-        cf_u_cmWs: Vec<GC2>,
-        cf_u_xs: Vec<Vec<NonNativeUintVar<CF1<C1>>>>,
+        cf_us: Vec<CycleFoldCommittedInstanceVar<C2, GC2>>,
         cf_cmTs: Vec<GC2>,
     ) -> Result<CycleFoldCommittedInstanceVar<C2, GC2>, SynthesisError>
     where
         C2::BaseField: PrimeField + Absorb,
         for<'a> &'a GC2: GroupOpsBounds<'a, C2, GC2>,
     {
-        assert_eq!(cf_u_cmWs.len(), cf_u_xs.len());
-        assert_eq!(cf_u_xs.len(), cf_cmTs.len());
+        assert_eq!(cf_us.len(), cf_cmTs.len());
 
         // Fold the incoming CycleFold instances into the running CycleFold
         // instance in a iterative way, since `NIFSFullGadget` only supports
         // folding one incoming instance at a time.
-        for ((cmW, x), cmT) in cf_u_cmWs.into_iter().zip(cf_u_xs).zip(cf_cmTs) {
-            // Prepare the incoming CycleFold instance `cf_u` for the current
-            // iteration.
-            // For each CycleFold instance `cf_u`, we have `cf_u.cmE = 0`, and
-            // `cf_u.u = 1`.
-            let cf_u = CycleFoldCommittedInstanceVar {
-                cmE: GC2::zero(),
-                u: NonNativeUintVar::new_constant(ConstraintSystemRef::None, C1::BaseField::one())?,
-                cmW,
-                x,
-            };
-
+        for (cf_u, cmT) in cf_us.into_iter().zip(cf_cmTs) {
             let cf_r_bits = CycleFoldChallengeGadget::get_challenge_gadget(
                 transcript,
                 pp_hash.clone(),
@@ -401,63 +387,33 @@ where
 
         // CycleFold part
         // C.1. Compute cf1_u_i.x and cf2_u_i.x
-        let mut r0_bits = r[0].to_bits_le()?;
-        let mut r1_bits = r[1].to_bits_le()?;
-        r0_bits.resize(C1::ScalarField::MODULUS_BIT_SIZE as usize, Boolean::FALSE);
-        r1_bits.resize(C1::ScalarField::MODULUS_BIT_SIZE as usize, Boolean::FALSE);
-        let cf1_x = [
-            r0_bits
-                .chunks(C1::BaseField::MODULUS_BIT_SIZE as usize - 1)
-                .map(|bits| {
-                    let mut bits = bits.to_vec();
-                    bits.resize(C1::BaseField::MODULUS_BIT_SIZE as usize, Boolean::FALSE);
-                    NonNativeUintVar::from(&bits)
-                })
-                .collect::<Vec<_>>(),
-            vec![
-                NonNativeUintVar::new_constant(cs.clone(), C1::BaseField::zero())?,
-                NonNativeUintVar::new_constant(cs.clone(), C1::BaseField::zero())?,
-                U_i.phi.x.clone(),
-                U_i.phi.y.clone(),
-                phi_stars[0].x.clone(),
-                phi_stars[0].y.clone(),
-            ],
-        ]
-        .concat();
-        let cf2_x = [
-            r1_bits
-                .chunks(C1::BaseField::MODULUS_BIT_SIZE as usize - 1)
-                .map(|bits| {
-                    let mut bits = bits.to_vec();
-                    bits.resize(C1::BaseField::MODULUS_BIT_SIZE as usize, Boolean::FALSE);
-                    NonNativeUintVar::from(&bits)
-                })
-                .collect::<Vec<_>>(),
-            vec![
-                phi_stars[0].x.clone(),
-                phi_stars[0].y.clone(),
-                u_i_phi.x.clone(),
-                u_i_phi.y.clone(),
-                U_i1.phi.x.clone(),
-                U_i1.phi.y.clone(),
-            ],
-        ]
-        .concat();
-
-        // C.2. Prepare incoming CycleFold instances
-        // C.3. Fold incoming CycleFold instances into the running instance
-        let cf_U_i1 =
-            AugmentationGadget::prepare_and_fold_cyclefold::<C1, C2, GC2, PoseidonSponge<CF1<C1>>>(
-                &mut transcript,
-                pp_hash.clone(),
-                cf_U_i,
-                vec![
-                    GC2::new_witness(cs.clone(), || Ok(self.cf1_u_i_cmW))?,
-                    GC2::new_witness(cs.clone(), || Ok(self.cf2_u_i_cmW))?,
-                ],
-                vec![cf1_x, cf2_x],
-                vec![cf1_cmT, cf2_cmT],
+        // C.2. Construct `cf1_u_i` and `cf2_u_i`
+        let cf1_u: CycleFoldCommittedInstanceVar<C2, GC2> =
+            CycleFoldCommittedInstanceVar::new_incoming_from_components(
+                // `cf1_u_i.cmW` is provided by the prover as witness.
+                GC2::new_witness(cs.clone(), || Ok(self.cf1_u_i_cmW))?,
+                // The computation of `cf1_u_i.x` requires the randomness `r[0]`, the
+                // commitments `phi` in CommittedInstances, and `phi_stars[0]`.
+                &r[0].to_bits_le()?,
+                vec![NonNativeAffineVar::zero(), U_i.phi, phi_stars[0].clone()],
             )?;
+        let cf2_u = CycleFoldCommittedInstanceVar::new_incoming_from_components(
+            // `cf2_u_i.cmW` is provided by the prover as witness.
+            GC2::new_witness(cs.clone(), || Ok(self.cf2_u_i_cmW))?,
+            // The computation of `cf2_u_i.x` requires the randomness `r[1]`, the
+            // commitments `phi` in CommittedInstances, and `phi_stars[0]`.
+            &r[1].to_bits_le()?,
+            vec![phi_stars[0].clone(), u_i_phi, U_i1.phi],
+        )?;
+
+        // C.3. Fold incoming CycleFold instances into the running instance
+        let cf_U_i1 = AugmentationGadget::fold_cyclefold::<C1, C2, GC2, PoseidonSponge<CF1<C1>>>(
+            &mut transcript,
+            pp_hash.clone(),
+            cf_U_i,
+            vec![cf1_u, cf2_u],
+            vec![cf1_cmT, cf2_cmT],
+        )?;
 
         // Back to Primary Part
         // P.4.b compute and check the second output of F'
