Reconstruct ZKP: Add Extension Field and Compile SNARKs with PCS (#148)

* range check without optimizations and random test

* fmt

* add random test

* fmt

* clippy

* comments

* record

* backup

* logup

* fmt

* fmt

* comment

* lookup num can be arbitrary integer

* fiat shamir randomness

* enable more actions for check (#133)

* enable more actions for check

* disable `asm` feature for `sha2`

* update `bytemuck` and `criterion`

* cfg `sha2`

* move batch_inverse to util

* reconstruct BitDecomposition

* finish bit decomp

* unify transcript in FF and EF

* snarks for bit decomposition

* reconstruct addition in Zq

* add snarks for addition in zq

* general lookup

* finish iop for ntt

* snarks for ntt

* add EF for RoundIOP

* snarks for round

* range check without optimizations and random test

* fmt

* add random test

* fmt

* clippy

* comments

* record

* backup

* logup

* fmt

* fmt

* comment

* lookup num can be arbitrary integer

* fiat shamir randomness

* move batch_inverse to util

* general lookup

* fix

* reconstruct RLWE * RGSW

* reconstruct snarks for RLWE * RGSW

* fmt

* add RLWE * RGSW example

* delete dead code

* rename

* rename

* reconstruct Accumulator

* check equality relations among ACC

* add snarks for ACC

* fmt

* check & clippy

* fix

* fix BabyBear

* rewrite zq to rQ

* fmt

* for merge

* snarky lookup

* fix

* fix

* add example for zq to rq

* optimize with lookup

* rename to floor

* add round

* sumcheck paralleled, >2x improved

* optimize evaluate_ext

* optimize acc evaluate_ext

* minor for lookup

* mle from poly

* revise ntt

* optimized with hashmap

* fmt & clippy & test

* clippy

* fix fmt/clippy/typo

* typo clippy

* Remove `check-msrv` (#150)

* remove `check-msrv`

* remove `typos`

* Alter field (#146)

* remake `primitive`

* add `ExpPowOf2Reduce` ops

* add `NegOne` and `ConstNegOne` trait

* clippy

* typos

* improve `CarryingMul` and `WideningMul`

* file rename

* add pcs batch open and verify

* minor

* add assertion

* minor

* update lookup

* minor

* minor

* refine lookup

* pcs for extension field polynomial

* clippy

* finish lookup

* refine bit decomposition types

* refine bit decomposition

* refine addition in Zq

* refine lookup

* refine bit decomp

* remove lookup in addition in zq and refine

* refine ntt names

* refine ntt-bare

* ntt refine first version

* refine proof struct

* refine instance info struct

* refine ntt

* refine ntt

* refine ntt example

* combine ntt normal and reverse order

* refine ntt in normal and reverse order

* refine floor

* refine round

* rename zq_to_rq to lift

* refine lift

* refine extenal product naming

* rename

* refine external product

* refine EP step 2

* refine

* refine external product

* refine acc

* Revert "refine acc"

This reverts commit 88ab2fc.

* simplify add struct

* refine acc complete

* refactor

* refactor

* optimize acc proving time

* remove dead code

* remove ds_store

* clippy

* clippy

---------

Co-authored-by: Tianyu Zhang <[email protected]>
Co-authored-by: Haofei Liang <[email protected]>
Co-authored-by: Xiang Xie <[email protected]>

Cargo.toml

@@ -22,12 +22,12 @@ rand_distr = "0.4"
 rand_core = "0.6.4"
 rand_chacha = "0.3.1"
 rayon = "1"
-bytemuck = { version = "1.17", features = ["derive"] }
+bytemuck = { version = "1.13", features = ["derive"] }
 merlin = { version = "3.0.0", default-features = false }
 serde = { version = "1.0", features = ["derive"] }
 bincode = "1.3"
-itertools = "0.13"
-sha2 = { version = "0.10" }
+itertools = "0.13.0"
+sha2 = { version = "0.10.7", features = ["asm"] }
 
 criterion = "0.5"
 

algebra/Cargo.toml

@@ -20,6 +20,7 @@ serde = { workspace = true }
 bincode = { workspace = true }
 concrete-ntt = { git = "https://github.com/pado-labs/concrete-ntt", branch = "main", optional = true }
 itertools = { workspace = true }
+rayon = { workspace = true }
 
 [features]
 default = ["concrete-ntt"]

algebra/examples/field.rs

@@ -1,6 +1,6 @@
 use algebra::{
-    derive::*, DecomposableField, Field, FieldBinarySampler, FieldDiscreteGaussianSampler,
-    FieldTernarySampler, FieldUniformSampler, Polynomial, PrimeField,
+    derive::*, Field, FieldBinarySampler, FieldDiscreteGaussianSampler, FieldTernarySampler,
+    FieldUniformSampler, Polynomial, PrimeField,
 };
 use num_traits::{Inv, One, Pow, Zero};
 use rand::prelude::*;

algebra/src/baby_bear/mod.rs

@@ -24,7 +24,7 @@ use crate::{
 };
 
 /// Implementation of BabyBear field.
-#[derive(Debug, Default, PartialEq, Eq, PartialOrd, Ord, Clone, Copy, Serialize, Deserialize)]
+#[derive(Debug, Default, PartialEq, Eq, Clone, Copy, Serialize, Deserialize, Hash)]
 pub struct BabyBear(u32);
 
 impl Field for BabyBear {
@@ -37,14 +37,30 @@ impl Field for BabyBear {
     fn new(value: Self::Value) -> Self {
         Self(to_monty(value))
     }
-}
 
-impl DecomposableField for BabyBear {
     #[inline]
     fn value(self) -> Self::Value {
         from_monty(self.0)
     }
+}
+
+impl PartialOrd for BabyBear {
+    fn partial_cmp(&self, other: &Self) -> Option<std::cmp::Ordering> {
+        Some(self.value().cmp(&other.value()))
+    }
+
+    fn lt(&self, other: &Self) -> bool {
+        self.value() < other.value()
+    }
+}
+
+impl Ord for BabyBear {
+    fn cmp(&self, other: &Self) -> std::cmp::Ordering {
+        self.value().cmp(&other.value())
+    }
+}
 
+impl DecomposableField for BabyBear {
     #[inline]
     fn decompose(self, basis: crate::Basis<Self>) -> Vec<Self> {
         let mut temp = self.value();

algebra/src/extension/binomial_extension.rs

@@ -162,6 +162,16 @@ impl<F: Field + BinomiallyExtendable<D> + Packable, const D: usize> Field
     }
 
     const MODULUS_VALUE: Self::Value = F::MODULUS_VALUE;
+
+    fn random<R: CryptoRng + Rng>(rng: &mut R) -> Self {
+        Self::from_base_fn(|_| FieldUniformSampler::new().sample(rng))
+    }
+
+    /// This part is inaccurate.
+    #[inline]
+    fn value(self) -> Self::Value {
+        self.value[0].value()
+    }
 }
 
 impl<F: Field + BinomiallyExtendable<D> + Packable, const D: usize> Display

algebra/src/field/mod.rs

@@ -1,6 +1,7 @@
 //! This place defines some concrete implement of field of the algebra.
 
 use std::fmt::{Debug, Display};
+use std::hash::Hash;
 use std::ops::{Add, AddAssign, Div, DivAssign, Mul, MulAssign, Neg, Sub, SubAssign};
 
 use num_traits::{ConstOne, ConstZero, Inv, Pow};
@@ -47,6 +48,7 @@ pub trait Field:
     + PartialOrd
     + ConstZero
     + ConstOne
+    + Hash
     + ConstNegOne
     + Add<Self, Output = Self>
     + Sub<Self, Output = Self>
@@ -94,13 +96,13 @@ pub trait Field:
 
         Self::new(hi.as_into())
     }
-}
 
-/// A trait defined for decomposable field, this is mainly for base field in FHE.
-pub trait DecomposableField: Field {
     /// Gets inner value.
     fn value(self) -> Self::Value;
+}
 
+/// A trait defined for decomposable field, this is mainly for base field in FHE.
+pub trait DecomposableField: Field {
     /// Decompose `self` according to `basis`,
     /// return the decomposed vector.
     ///

algebra/src/goldilocks/mod.rs

@@ -6,6 +6,7 @@ use serde::{Deserialize, Serialize};
 
 use std::{
     fmt::Display,
+    hash::Hash,
     ops::{Add, AddAssign, Div, DivAssign, Mul, MulAssign, Neg, Sub, SubAssign},
 };
 
@@ -46,14 +47,14 @@ impl Field for Goldilocks {
     fn new(value: Self::Value) -> Self {
         Self(value)
     }
-}
 
-impl DecomposableField for Goldilocks {
     #[inline]
     fn value(self) -> Self::Value {
         to_canonical_u64(self.0)
     }
+}
 
+impl DecomposableField for Goldilocks {
     #[inline]
     fn decompose(self, basis: crate::Basis<Self>) -> Vec<Self> {
         let mut temp = self.value();
@@ -259,6 +260,12 @@ impl Ord for Goldilocks {
     }
 }
 
+impl Hash for Goldilocks {
+    #[inline]
+    fn hash<H: std::hash::Hasher>(&self, state: &mut H) {
+        self.as_canonical_u64().hash(state);
+    }
+}
 impl Neg for Goldilocks {
     type Output = Self;
     #[inline]

algebra/src/polynomial/multivariate/data_structures.rs

@@ -2,9 +2,12 @@
 
 use std::{collections::HashMap, rc::Rc};
 
+use rayon::iter::{IndexedParallelIterator, IntoParallelRefIterator, ParallelIterator};
+use serde::{Deserialize, Serialize};
+
 use crate::Field;
 
-use super::{DenseMultilinearExtension, MultilinearExtension};
+use super::DenseMultilinearExtension;
 
 /// Stores a list of products of `DenseMultilinearExtension` that is meant to be added together.
 ///
@@ -48,7 +51,7 @@ impl<F: Field> ListOfProductsOfPolynomials<F> {
     }
 }
 
-#[derive(Clone, Copy)]
+#[derive(Clone, Copy, Serialize, Deserialize)]
 /// Stores the number of variables and max number of multiplicands of the added polynomial used by the prover.
 /// This data structures will be used as the verifier key.
 pub struct PolynomialInfo {
@@ -131,14 +134,22 @@ impl<F: Field> ListOfProductsOfPolynomials<F> {
 
     /// Evaluate the polynomial at point `point`
     pub fn evaluate(&self, point: &[F]) -> F {
-        self.products
+        let mle_buff: Vec<_> = self
+            .flattened_ml_extensions
             .iter()
-            .zip(self.linear_ops.iter())
-            .fold(F::zero(), |result, ((c, p), ops)| {
-                result
-                    + p.iter().zip(ops.iter()).fold(*c, |acc, (&i, &(a, b))| {
-                        acc * (self.flattened_ml_extensions[i].evaluate(point) * a + b)
+            .map(|m| m.as_ref().clone())
+            .collect();
+        self.products
+            .par_iter()
+            .zip(self.linear_ops.par_iter())
+            .fold(
+                || F::zero(),
+                |res, ((c, p), ops)| {
+                    res + p.iter().zip(ops.iter()).fold(*c, |acc, (&i, &(a, b))| {
+                        acc * (mle_buff[i].evaluate(point) * a + b)
                     })
-            })
+                },
+            )
+            .reduce(|| F::zero(), |acc, v| acc + v)
     }
 }