New PCS trait and implementation (#116)

closes: #62 

- Introduct new `PolynomialCommitmentScheme` trait and basic implementations
- Now `PlonkKzgSnark` use our own KZG10 implementation

CHANGELOG.md

@@ -18,6 +18,8 @@
             - Primitive gadgets, including `commitment`, `el gamal` etc. remains in `jf-primitives/circuit`.
             - Circuit for rescue hash function is now in `jf-primitives/circuit/rescue`.
     - `par-utils` is moved to `jf-utils`.
+- Introduct new `PolynomialCommitmentScheme` trait and basic implementations
+    - Now `PlonkKzgSnark` use our own KZG10 implementation
 
 ## v0.1.2
 

plonk/Cargo.toml

@@ -35,19 +35,13 @@ espresso-systems-common = { git = "https://github.com/espressosystems/espresso-s
 hashbrown = "0.12.3"
 dyn-clone = "^1.0"
 
-[dependencies.ark-poly-commit]
-git = "https://github.com/arkworks-rs/poly-commit/"
-rev = "cafc05e39692bbc5c383990063ad851f0b94a553"
-default-features = false
-
 [dev-dependencies]
 bincode = "1.0"
 ark-ed-on-bls12-381 = "0.3.0"
 ark-ed-on-bls12-377 = { git = "https://github.com/arkworks-rs/curves", rev = "677b4ae751a274037880ede86e9b6f30f62635af" }
 ark-ed-on-bls12-381-bandersnatch = { git = "https://github.com/arkworks-rs/curves", rev = "677b4ae751a274037880ede86e9b6f30f62635af" }
 ark-ed-on-bn254 = "0.3.0"
 hex = "^0.4.3"
-jf-relation = { path = "../relation", default-features = false }
 
 # Benchmarks
 [[bench]]

plonk/src/circuit/plonk_verifier/gadgets.rs

@@ -529,7 +529,7 @@ mod test {
 
         // 5. Verification
         let open_key_ref = &vks_type_a[0].open_key;
-        let beta_g_ref = &srs.0.powers_of_g[1];
+        let beta_g_ref = &srs.powers_of_g[1];
         let blinding_factor = E::Fr::rand(rng);
         let (inner1, inner2) = BatchArgument::partial_verify::<T>(
             beta_g_ref,

plonk/src/circuit/plonk_verifier/mod.rs

@@ -521,7 +521,7 @@ mod test {
 
             // 5. Verification
             let open_key_ref = &vks_type_a[0].open_key;
-            let beta_g_ref = &srs.0.powers_of_g[1];
+            let beta_g_ref = &srs.powers_of_g[1];
             let blinding_factor = E::Fr::rand(rng);
             let (inner1, inner2) = BatchArgument::partial_verify::<T>(
                 beta_g_ref,
@@ -810,7 +810,7 @@ mod test {
 
             // 5. Build circuit
             let open_key_ref = &vks_type_a[0].open_key;
-            let beta_g_ref = &srs.0.powers_of_g[1];
+            let beta_g_ref = &srs.powers_of_g[1];
             let blinding_factor = E::Fr::rand(rng);
 
             let (mut circuit, _partial_verify_points) = build_circuit::<E, F, P>(

plonk/src/circuit/transcript.rs

@@ -235,8 +235,8 @@ mod tests {
     };
     use ark_bls12_377::Bls12_377;
     use ark_ec::{AffineCurve, ProjectiveCurve};
-    use ark_poly_commit::kzg10::{Commitment, VerifierKey};
     use ark_std::{format, test_rng, UniformRand};
+    use jf_primitives::pcs::prelude::{Commitment, UnivariateVerifierParam};
     use jf_relation::gadgets::ecc::Point;
     use jf_utils::{bytes_to_field_elements, field_switching};
 
@@ -306,13 +306,10 @@ mod tests {
         let mut transcript_var = RescueTranscriptVar::new(&mut circuit);
         let mut transcript = RescueTranscript::<F>::new(label);
 
-        let open_key: VerifierKey<E> = VerifierKey {
+        let open_key: UnivariateVerifierParam<E> = UnivariateVerifierParam {
             g: E::G1Affine::prime_subgroup_generator(),
-            gamma_g: E::G1Projective::rand(&mut rng).into_affine(),
             h: E::G2Affine::prime_subgroup_generator(),
             beta_h: E::G2Projective::rand(&mut rng).into_affine(),
-            prepared_h: E::G2Affine::prime_subgroup_generator().into(),
-            prepared_beta_h: E::G2Projective::rand(&mut rng).into_affine().into(),
         };
 
         let dummy_vk = VerifyingKey {
@@ -321,7 +318,7 @@ mod tests {
             sigma_comms: Vec::new(),
             selector_comms: Vec::new(),
             k: Vec::new(),
-            open_key: open_key.clone(),
+            open_key,
             is_merged: false,
             plookup_vk: None,
         };
@@ -380,7 +377,7 @@ mod tests {
                 sigma_comms,
                 selector_comms,
                 k,
-                open_key: open_key.clone(),
+                open_key,
                 is_merged: false,
                 plookup_vk: None,
             };

plonk/src/errors.rs

@@ -8,6 +8,7 @@
 
 use ark_std::{format, string::String};
 use displaydoc::Display;
+use jf_primitives::pcs::errors::PCSError;
 use jf_relation::errors::CircuitError;
 
 /// A `enum` specifying the possible failure modes of the Plonk.
@@ -24,7 +25,7 @@ pub enum PlonkError {
     /// An error in the Plonk SNARK logic: {0}
     SnarkError(SnarkError),
     /// An error in the underlying polynomial commitment: {0}
-    PcsError(ark_poly_commit::Error),
+    PCSError(PCSError),
     /// An error in the Plonk circuit: {0}
     CircuitError(CircuitError),
     /// An error during IO: {0}
@@ -47,9 +48,9 @@ pub enum PlonkError {
 
 impl ark_std::error::Error for PlonkError {}
 
-impl From<ark_poly_commit::Error> for PlonkError {
-    fn from(e: ark_poly_commit::Error) -> Self {
-        Self::PcsError(e)
+impl From<PCSError> for PlonkError {
+    fn from(e: PCSError) -> Self {
+        Self::PCSError(e)
     }
 }
 

plonk/src/proof_system/batch_arg.rs

@@ -351,7 +351,7 @@ mod test {
 
         // 5. Verification
         let open_key_ref = &vks_type_a[0].open_key;
-        let beta_g_ref = &srs.0.powers_of_g[1];
+        let beta_g_ref = &srs.powers_of_g[1];
         let blinding_factor = E::Fr::rand(rng);
         let (inner1, inner2) = BatchArgument::partial_verify::<T>(
             beta_g_ref,

plonk/src/proof_system/prover.rs

@@ -21,16 +21,16 @@ use ark_poly::{
     univariate::DensePolynomial, EvaluationDomain, GeneralEvaluationDomain, Polynomial,
     Radix2EvaluationDomain, UVPolynomial,
 };
-use ark_poly_commit::{
-    kzg10::{Commitment, Powers, Randomness, KZG10},
-    PCRandomness,
-};
 use ark_std::{
     rand::{CryptoRng, RngCore},
     string::ToString,
     vec,
     vec::Vec,
 };
+use jf_primitives::pcs::{
+    prelude::{Commitment, UnivariateKzgPCS},
+    PolynomialCommitmentScheme,
+};
 use jf_relation::{constants::GATE_WIDTH, Arithmetization};
 use jf_utils::par_utils::parallelizable_slice_iter;
 #[cfg(feature = "parallel")]
@@ -82,7 +82,7 @@ impl<E: PairingEngine> Prover<E> {
             .into_iter()
             .map(|poly| self.mask_polynomial(prng, poly, 1))
             .collect();
-        let wires_poly_comms = Self::commit_polynomials(ck, &wire_polys)?;
+        let wires_poly_comms = UnivariateKzgPCS::multi_commit(ck, &wire_polys)?;
         let pub_input_poly = cs.compute_pub_input_polynomial()?;
         Ok(((wires_poly_comms, wire_polys), pub_input_poly))
     }
@@ -106,7 +106,7 @@ impl<E: PairingEngine> Prover<E> {
         let h_1_poly = self.mask_polynomial(prng, h_1_poly, 2);
         let h_2_poly = self.mask_polynomial(prng, h_2_poly, 2);
         let h_polys = vec![h_1_poly, h_2_poly];
-        let h_poly_comms = Self::commit_polynomials(ck, &h_polys)?;
+        let h_poly_comms = UnivariateKzgPCS::multi_commit(ck, &h_polys)?;
         Ok(((h_poly_comms, h_polys), sorted_vec, merged_lookup_table))
     }
 
@@ -124,7 +124,7 @@ impl<E: PairingEngine> Prover<E> {
             cs.compute_prod_permutation_polynomial(&challenges.beta, &challenges.gamma)?,
             2,
         );
-        let prod_perm_comm = Self::commit_polynomial(ck, &prod_perm_poly)?;
+        let prod_perm_comm = UnivariateKzgPCS::commit(ck, &prod_perm_poly)?;
         Ok((prod_perm_comm, prod_perm_poly))
     }
 
@@ -157,7 +157,7 @@ impl<E: PairingEngine> Prover<E> {
             )?,
             2,
         );
-        let prod_lookup_comm = Self::commit_polynomial(ck, &prod_lookup_poly)?;
+        let prod_lookup_comm = UnivariateKzgPCS::commit(ck, &prod_lookup_poly)?;
         Ok((prod_lookup_comm, prod_lookup_poly))
     }
 
@@ -176,7 +176,7 @@ impl<E: PairingEngine> Prover<E> {
         let quot_poly =
             self.compute_quotient_polynomial(challenges, pks, online_oracles, num_wire_types)?;
         let split_quot_polys = self.split_quotient_polynomial(prng, &quot_poly, num_wire_types)?;
-        let split_quot_poly_comms = Self::commit_polynomials(ck, &split_quot_polys)?;
+        let split_quot_poly_comms = UnivariateKzgPCS::multi_commit(ck, &split_quot_polys)?;
 
         Ok((split_quot_poly_comms, split_quot_polys))
     }
@@ -451,29 +451,6 @@ impl<E: PairingEngine> Prover<E> {
         mask_poly + poly
     }
 
-    /// Compute polynomial commitments.
-    fn commit_polynomials(
-        ck: &CommitKey<E>,
-        polys: &[DensePolynomial<E::Fr>],
-    ) -> Result<Vec<Commitment<E>>, PlonkError> {
-        let poly_comms = parallelizable_slice_iter(polys)
-            .map(|poly| Self::commit_polynomial(ck, poly))
-            .collect::<Result<Vec<_>, _>>()?;
-        Ok(poly_comms)
-    }
-
-    /// Commit a polynomial.
-    #[inline]
-    fn commit_polynomial(
-        ck: &CommitKey<E>,
-        poly: &DensePolynomial<E::Fr>,
-    ) -> Result<Commitment<E>, PlonkError> {
-        let powers: Powers<'_, E> = ck.into();
-        let (poly_comm, _) =
-            KZG10::commit(&powers, poly, None, None).map_err(PlonkError::PcsError)?;
-        Ok(poly_comm)
-    }
-
     /// Return a batched opening proof given a list of polynomials `polys_ref`,
     /// evaluation point `eval_point`, and randomized combiner `r`.
     fn compute_batched_witness_polynomial_commitment(
@@ -489,14 +466,10 @@ impl<E: PairingEngine> Prover<E> {
         );
 
         // Compute opening witness polynomial and its commitment
-        let empty_rand = Randomness::<E::Fr, DensePolynomial<E::Fr>>::empty();
-        let (witness_poly, _) = KZG10::<E, DensePolynomial<E::Fr>>::compute_witness_polynomial(
-            &batch_poly,
-            *eval_point,
-            &empty_rand,
-        )?;
+        let divisor = DensePolynomial::from_coefficients_vec(vec![-*eval_point, E::Fr::one()]);
+        let witness_poly = &batch_poly / &divisor;
 
-        Self::commit_polynomial(ck, &witness_poly)
+        UnivariateKzgPCS::commit(ck, &witness_poly).map_err(PlonkError::PCSError)
     }
 
     /// Compute the quotient polynomial via (i)FFTs.