Add Brakedown multilinear PCS

Cargo.toml

@@ -31,8 +31,11 @@ debug = true
 ark-ff = { git = "https://github.com/arkworks-rs/algebra/" }
 ark-ec = { git = "https://github.com/arkworks-rs/algebra/" }
 ark-serialize = { git = "https://github.com/arkworks-rs/algebra/" }
+ark-poly = { git = "https://github.com/arkworks-rs/algebra/" }
+
 ark-crypto-primitives = { git = "https://github.com/arkworks-rs/crypto-primitives" }
 ark-r1cs-std = { git = "https://github.com/arkworks-rs/r1cs-std/" }
 
 ark-bls12-377 = { git = "https://github.com/arkworks-rs/curves/" }
 ark-bls12-381 = { git = "https://github.com/arkworks-rs/curves/" }
+ark-bn254 = { git = "https://github.com/arkworks-rs/curves/" }

README.md

@@ -186,6 +186,7 @@ Unless you explicitly state otherwise, any contribution that you submit to this
 [aurora-light]: https://ia.cr/2019/601
 [pcd-acc]: https://ia.cr/2020/499
 [pst]: https://ia.cr/2011/587
+[brakedown]: https://ia.cr/2021/1043
 
 ## Reference papers
 
@@ -213,6 +214,10 @@ TCC 2020
 Charalampos Papamanthou, Elaine Shi, Roberto Tamassia   
 TCC 2013
 
+[Brakedown: Linear-time and field-agnostic SNARKs for R1CS][brakedown]    
+Alexander Golovnev, Jonathan Lee, Srinath Setty, Justin Thaler, Riad S. Wahby    
+CRYPTO 2023
+
 ## Acknowledgements
 
 This work was supported by: an Engineering and Physical Sciences Research Council grant; a Google Faculty Award; the RISELab at UC Berkeley; and donations from the Ethereum Foundation and the Interchain Foundation.

bench-templates/src/lib.rs

@@ -1,17 +1,25 @@
-use ark_crypto_primitives::sponge::{
-    poseidon::{PoseidonConfig, PoseidonSponge},
-    CryptographicSponge,
+use ark_crypto_primitives::{
+    crh::{sha256::digest::Digest, CRHScheme},
+    sponge::{
+        poseidon::{PoseidonConfig, PoseidonSponge},
+        CryptographicSponge,
+    },
 };
 use ark_ff::PrimeField;
 use ark_poly::Polynomial;
 use ark_serialize::{CanonicalSerialize, Compress};
 use ark_std::{test_rng, UniformRand};
-use rand_chacha::{rand_core::SeedableRng, ChaCha20Rng};
+use rand_chacha::{
+    rand_core::{RngCore, SeedableRng},
+    ChaCha20Rng,
+};
 
 use core::time::Duration;
-use std::time::Instant;
+use std::{borrow::Borrow, marker::PhantomData, time::Instant};
 
-use ark_poly_commit::{challenge::ChallengeGenerator, LabeledPolynomial, PolynomialCommitment};
+use ark_poly_commit::{
+    challenge::ChallengeGenerator, to_bytes, LabeledPolynomial, PolynomialCommitment,
+};
 
 pub use criterion::*;
 pub use paste::paste;
@@ -30,8 +38,10 @@ pub fn bench_pcs_method<
         &PCS::VerifierKey,
         usize,
         fn(usize, &mut ChaCha20Rng) -> P,
+        fn(usize, &mut ChaCha20Rng) -> P::Point,
     ) -> Duration,
     rand_poly: fn(usize, &mut ChaCha20Rng) -> P,
+    rand_point: fn(usize, &mut ChaCha20Rng) -> P::Point,
 ) {
     let mut group = c.benchmark_group(msg);
     let rng = &mut ChaCha20Rng::from_rng(test_rng()).unwrap();
@@ -44,7 +54,13 @@ pub fn bench_pcs_method<
             BenchmarkId::from_parameter(num_vars),
             &num_vars,
             |b, num_vars| {
-                b.iter(|| method(&ck, &vk, *num_vars, rand_poly));
+                b.iter_custom(|i| {
+                    let mut time = Duration::from_nanos(0);
+                    for _ in 0..i {
+                        time += method(&ck, &vk, *num_vars, rand_poly, rand_point);
+                    }
+                    time
+                });
             },
         );
     }
@@ -62,6 +78,7 @@ pub fn commit<
     _vk: &PCS::VerifierKey,
     num_vars: usize,
     rand_poly: fn(usize, &mut ChaCha20Rng) -> P,
+    _rand_point: fn(usize, &mut ChaCha20Rng) -> P::Point,
 ) -> Duration {
     let rng = &mut ChaCha20Rng::from_rng(test_rng()).unwrap();
 
@@ -102,20 +119,20 @@ pub fn open<F, P, PCS>(
     _vk: &PCS::VerifierKey,
     num_vars: usize,
     rand_poly: fn(usize, &mut ChaCha20Rng) -> P,
+    rand_point: fn(usize, &mut ChaCha20Rng) -> P::Point,
 ) -> Duration
 where
     F: PrimeField,
     P: Polynomial<F>,
     PCS: PolynomialCommitment<F, P, PoseidonSponge<F>>,
-    P::Point: UniformRand,
 {
     let rng = &mut ChaCha20Rng::from_rng(test_rng()).unwrap();
 
     let labeled_poly =
         LabeledPolynomial::new("test".to_string(), rand_poly(num_vars, rng), None, None);
 
     let (coms, randomness) = PCS::commit(&ck, [&labeled_poly], Some(rng)).unwrap();
-    let point = P::Point::rand(rng);
+    let point = rand_point(num_vars, rng);
 
     let start = Instant::now();
     let _ = PCS::open(
@@ -173,20 +190,20 @@ pub fn verify<F, P, PCS>(
     vk: &PCS::VerifierKey,
     num_vars: usize,
     rand_poly: fn(usize, &mut ChaCha20Rng) -> P,
+    rand_point: fn(usize, &mut ChaCha20Rng) -> P::Point,
 ) -> Duration
 where
     F: PrimeField,
     P: Polynomial<F>,
     PCS: PolynomialCommitment<F, P, PoseidonSponge<F>>,
-    P::Point: UniformRand,
 {
     let rng = &mut ChaCha20Rng::from_rng(test_rng()).unwrap();
 
     let labeled_poly =
         LabeledPolynomial::new("test".to_string(), rand_poly(num_vars, rng), None, None);
 
     let (coms, randomness) = PCS::commit(&ck, [&labeled_poly], Some(rng)).unwrap();
-    let point = P::Point::rand(rng);
+    let point = rand_point(num_vars, rng);
     let claimed_eval = labeled_poly.evaluate(&point);
     let proof = PCS::open(
         &ck,
@@ -243,7 +260,7 @@ fn test_sponge<F: PrimeField>() -> PoseidonSponge<F> {
 
 #[macro_export]
 macro_rules! bench_method {
-    ($c:expr, $method:ident, $scheme_type:ty, $rand_poly:ident) => {
+    ($c:expr, $method:ident, $scheme_type:ty, $rand_poly:ident, $rand_point:ident) => {
         let scheme_type_str = stringify!($scheme_type);
         let bench_name = format!("{} {}", stringify!($method), scheme_type_str);
         bench_pcs_method::<_, _, $scheme_type>(
@@ -252,19 +269,20 @@ macro_rules! bench_method {
             &bench_name,
             $method::<_, _, $scheme_type>,
             $rand_poly::<_>,
+            $rand_point::<_>,
         );
     };
 }
 
 #[macro_export]
 macro_rules! bench {
     (
-        $scheme_type:ty, $rand_poly:ident
+        $scheme_type:ty, $rand_poly:ident, $rand_point:ident
     ) => {
         fn bench_pcs(c: &mut Criterion) {
-            bench_method!(c, commit, $scheme_type, $rand_poly);
-            bench_method!(c, open, $scheme_type, $rand_poly);
-            bench_method!(c, verify, $scheme_type, $rand_poly);
+            bench_method!(c, commit, $scheme_type, $rand_poly, $rand_point);
+            bench_method!(c, open, $scheme_type, $rand_poly, $rand_point);
+            bench_method!(c, verify, $scheme_type, $rand_poly, $rand_point);
         }
 
         criterion_group!(benches, bench_pcs);
@@ -276,3 +294,57 @@ macro_rules! bench {
         }
     };
 }
+
+/**** Auxiliary methods for linear-code-based PCSs ****/
+
+/// Needed for benches and tests.
+pub struct LeafIdentityHasher;
+
+impl CRHScheme for LeafIdentityHasher {
+    type Input = Vec<u8>;
+    type Output = Vec<u8>;
+    type Parameters = ();
+
+    fn setup<R: RngCore>(_: &mut R) -> Result<Self::Parameters, ark_crypto_primitives::Error> {
+        Ok(())
+    }
+
+    fn evaluate<T: Borrow<Self::Input>>(
+        _: &Self::Parameters,
+        input: T,
+    ) -> Result<Self::Output, ark_crypto_primitives::Error> {
+        Ok(input.borrow().to_vec().into())
+    }
+}
+
+/// Needed for benches and tests.
+pub struct FieldToBytesColHasher<F, D>
+where
+    F: PrimeField + CanonicalSerialize,
+    D: Digest,
+{
+    _phantom: PhantomData<(F, D)>,
+}
+
+impl<F, D> CRHScheme for FieldToBytesColHasher<F, D>
+where
+    F: PrimeField + CanonicalSerialize,
+    D: Digest,
+{
+    type Input = Vec<F>;
+    type Output = Vec<u8>;
+    type Parameters = ();
+
+    fn setup<R: RngCore>(_rng: &mut R) -> Result<Self::Parameters, ark_crypto_primitives::Error> {
+        Ok(())
+    }
+
+    fn evaluate<T: Borrow<Self::Input>>(
+        _parameters: &Self::Parameters,
+        input: T,
+    ) -> Result<Self::Output, ark_crypto_primitives::Error> {
+        let mut dig = D::new();
+        dig.update(to_bytes!(input.borrow()).unwrap());
+        Ok(dig.finalize().to_vec())
+    }
+}

poly-commit/Cargo.toml

@@ -18,15 +18,21 @@ ark-std = { version = "^0.4.0", default-features = false }
 
 ark-relations = { version = "^0.4.0", default-features = false, optional = true }
 ark-r1cs-std = { version = "^0.4.0", default-features = false, optional = true }
-hashbrown = { version = "0.13", default-features = false, optional = true }
+hashbrown = { version = "0.14", default-features = false, optional = true }
 
 digest = "0.10"
 derivative = { version = "2", features = [ "use_core" ] }
 rayon = { version = "1", optional = true }
+merlin = { version = "3.0.0", default-features = false }
 
 [[bench]]
-name = "pcs"
-path = "benches/pcs.rs"
+name = "ipa_times"
+path = "benches/ipa_times.rs"
+harness = false
+
+[[bench]]
+name = "brakedown_times"
+path = "benches/brakedown_ml_times.rs"
 harness = false
 
 [[bench]]
@@ -38,10 +44,14 @@ harness = false
 ark-ed-on-bls12-381 = { version = "^0.4.0", default-features = false }
 ark-bls12-381 = { version = "^0.4.0", default-features = false, features = [ "curve" ] }
 ark-bls12-377 = { version = "^0.4.0", default-features = false, features = [ "curve" ] }
+ark-bn254 = { version = "^0.4.0", default-features = false, features = [ "curve" ] }
 blake2 = { version = "0.10", default-features = false }
 rand_chacha = { version = "0.3.0", default-features = false }
 ark-pcs-bench-templates = { path = "../bench-templates" }
 
+[target.'cfg(target_arch = "aarch64")'.dependencies]
+num-traits = { version = "0.2", default-features = false, features = ["libm"] }
+
 [features]
 default = [ "std", "parallel" ]
 std = [ "ark-ff/std", "ark-ec/std", "ark-poly/std", "ark-std/std", "ark-relations/std", "ark-serialize/std", "ark-crypto-primitives/std"]

poly-commit/benches/brakedown_ml_times.rs

@@ -0,0 +1,62 @@
+use ark_crypto_primitives::{
+    crh::{sha256::Sha256, CRHScheme, TwoToOneCRHScheme},
+    merkle_tree::{ByteDigestConverter, Config},
+    sponge::poseidon::PoseidonSponge,
+};
+use ark_pcs_bench_templates::*;
+use ark_poly::{DenseMultilinearExtension, MultilinearExtension};
+
+use ark_bn254::Fr;
+use ark_ff::PrimeField;
+
+use ark_poly_commit::linear_codes::{LinearCodePCS, MultilinearBrakedown};
+use blake2::Blake2s256;
+use rand_chacha::ChaCha20Rng;
+
+// Brakedown PCS over BN254
+struct MerkleTreeParams;
+type LeafH = LeafIdentityHasher;
+type CompressH = Sha256;
+impl Config for MerkleTreeParams {
+    type Leaf = Vec<u8>;
+
+    type LeafDigest = <LeafH as CRHScheme>::Output;
+    type LeafInnerDigestConverter = ByteDigestConverter<Self::LeafDigest>;
+    type InnerDigest = <CompressH as TwoToOneCRHScheme>::Output;
+
+    type LeafHash = LeafH;
+    type TwoToOneHash = CompressH;
+}
+
+pub type MLE<F> = DenseMultilinearExtension<F>;
+type MTConfig = MerkleTreeParams;
+type Sponge<F> = PoseidonSponge<F>;
+type ColHasher<F> = FieldToBytesColHasher<F, Blake2s256>;
+type Brakedown<F> = LinearCodePCS<
+    MultilinearBrakedown<F, MTConfig, Sponge<F>, MLE<F>, ColHasher<F>>,
+    F,
+    MLE<F>,
+    Sponge<F>,
+    MTConfig,
+    ColHasher<F>,
+>;
+
+fn rand_poly_brakedown_ml<F: PrimeField>(
+    num_vars: usize,
+    rng: &mut ChaCha20Rng,
+) -> DenseMultilinearExtension<F> {
+    DenseMultilinearExtension::rand(num_vars, rng)
+}
+
+fn rand_point_brakedown_ml<F: PrimeField>(num_vars: usize, rng: &mut ChaCha20Rng) -> Vec<F> {
+    (0..num_vars).map(|_| F::rand(rng)).collect()
+}
+
+const MIN_NUM_VARS: usize = 12;
+const MAX_NUM_VARS: usize = 22;
+
+bench!(
+    Brakedown<Fr>,
+    rand_poly_brakedown_ml,
+    rand_point_brakedown_ml
+);

poly-commit/benches/pcs.rs → poly-commit/benches/ipa_times.rs

@@ -22,7 +22,11 @@ fn rand_poly_ipa_pc<F: PrimeField>(degree: usize, rng: &mut ChaCha20Rng) -> Dens
     DenseUnivariatePoly::rand(degree, rng)
 }
 
+fn rand_point_ipa_pc<F: PrimeField>(_: usize, rng: &mut ChaCha20Rng) -> F {
+    F::rand(rng)
+}
+
 const MIN_NUM_VARS: usize = 10;
 const MAX_NUM_VARS: usize = 20;
 
-bench!(IPA_JubJub, rand_poly_ipa_pc);
+bench!(IPA_JubJub, rand_poly_ipa_pc, rand_point_ipa_pc);

poly-commit/src/error.rs

@@ -93,6 +93,23 @@ pub enum Error {
         /// Index of the offending polynomial.
         label: String,
     },
+
+    /// This means a failure in verifying the commitment or the opening.
+    InvalidCommitment,
+
+    /// For PCS which rely on Fiat-Shamir to be rendered non-interactive,
+    /// these are errors that result from incorrect transcript manipulation.
+    TranscriptError,
+
+    /// This means the required soundness error bound is inherently impossible.
+    /// E.g., the field is not big enough.
+    InvalidParameters(String),
+
+    /// Error resulting from hashing in linear code - based PCS.
+    HashingError,
+
+    /// Shows that encoding is not feasible
+    EncodingError,
 }
 
 impl core::fmt::Display for Error {
@@ -179,6 +196,11 @@ impl core::fmt::Display for Error {
                 support up to degree ({:?})", label, poly_degree, supported_degree
             ),
             Error::IncorrectInputLength(err) => write!(f, "{}", err),
+            Error::InvalidCommitment => write!(f, "Failed to verify the commitment"),
+            Error::TranscriptError => write!(f, "Incorrect transcript manipulation"),
+            Error::InvalidParameters(err) => write!(f, "{}", err),
+            Error::HashingError => write!(f, "Error resulting from hashing"),
+            Error::EncodingError => write!(f, "Encoding failed"),
         }
     }
 }