From 6c81f651938318f5591ba7d184b46342a36c3bbf Mon Sep 17 00:00:00 2001 From: mmagician Date: Mon, 28 Oct 2024 14:14:51 +0100 Subject: [PATCH 1/6] use workspace dependencies --- Cargo.toml | 11 +++++++++++ bench-templates/Cargo.toml | 17 ++++++++--------- poly-commit/Cargo.toml | 18 ++++++++---------- 3 files changed, 27 insertions(+), 19 deletions(-) diff --git a/Cargo.toml b/Cargo.toml index 51ea045a..4b3dec28 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -15,6 +15,17 @@ categories = ["cryptography"] license = "MIT/Apache-2.0" edition = "2018" +[workspace.dependencies] +ark-serialize = { version = "^0.4.0", default-features = false } +ark-ff = { version = "^0.4.0", default-features = false } +ark-ec = { version = "^0.4.0", default-features = false } +ark-poly = { version = "^0.4.0", default-features = false } +ark-crypto-primitives = { version = "^0.4.0", default-features = false } +ark-std = { version = "^0.4.0", default-features = false } +ark-relations = { version = "^0.4.0", default-features = false } +ark-r1cs-std = { version = "^0.4.0", default-features = false } +rand_chacha = { version = "0.3.0", default-features = false } + [profile.release] opt-level = 3 lto = "thin" diff --git a/bench-templates/Cargo.toml b/bench-templates/Cargo.toml index 854b4e2e..9309a6ea 100644 --- a/bench-templates/Cargo.toml +++ b/bench-templates/Cargo.toml @@ -11,14 +11,13 @@ publish = false [dependencies] ark-poly-commit = { path = "../poly-commit", default-features = false } -ark-serialize = { version = "^0.4.0", default-features = false, features = [ "derive" ] } -ark-ff = { version = "^0.4.0", default-features = false } -ark-ec = { version = "^0.4.0", default-features = false } -ark-poly = {version = "^0.4.0", default-features = false } -ark-crypto-primitives = {version = "^0.4.0", default-features = false, features = ["sponge", "merkle_tree"] } -ark-std = { version = "^0.4.0", default-features = false } +ark-serialize = { workspace = true, features = [ "derive" ] } +ark-ff.workspace = true +ark-ec.workspace = true +ark-poly.workspace = true +ark-crypto-primitives = { workspace = true, features = ["sponge", "merkle_tree"] } +ark-std.workspace = true +rand_chacha.workspace = true -rand_chacha = { version = "0.3.0", default-features = false } criterion = { version = "0.5", default-features = false } - -paste = "1.0" \ No newline at end of file +paste = "1.0" diff --git a/poly-commit/Cargo.toml b/poly-commit/Cargo.toml index 024f6f62..34707fcf 100644 --- a/poly-commit/Cargo.toml +++ b/poly-commit/Cargo.toml @@ -9,20 +9,18 @@ license.workspace = true edition.workspace = true [dependencies] -ark-serialize = { version = "^0.4.0", default-features = false, features = [ "derive" ] } -ark-ff = { version = "^0.4.0", default-features = false } -ark-ec = { version = "^0.4.0", default-features = false } -ark-poly = {version = "^0.4.0", default-features = false } -ark-crypto-primitives = {version = "^0.4.0", default-features = false, features = ["sponge", "merkle_tree"] } -ark-std = { version = "^0.4.0", default-features = false } +ark-serialize = { workspace = true, features = [ "derive" ] } +ark-ff.workspace = true +ark-ec.workspace = true +ark-poly.workspace = true +ark-crypto-primitives = { workspace = true, features = ["sponge", "merkle_tree"] } +ark-std.workspace = true +ark-relations = { workspace = true, optional = true } +ark-r1cs-std = { workspace = true, optional = true } blake2 = { version = "0.10", default-features = false } derivative = { version = "2", features = [ "use_core" ] } digest = "0.10" - -ark-relations = { version = "^0.4.0", default-features = false, optional = true } -ark-r1cs-std = { version = "^0.4.0", default-features = false, optional = true } - hashbrown = { version = "0.15", default-features = false, features = ["inline-more", "allocator-api2"], optional = true } rand = { version = "0.8.0", optional = true } rayon = { version = "1", optional = true } From a673eb1dd351a467684735a2dab8698d0d2b622c Mon Sep 17 00:00:00 2001 From: mmagician Date: Mon, 28 Oct 2024 14:17:15 +0100 Subject: [PATCH 2/6] bump versions, comment out patching --- Cargo.toml | 40 ++++++++++++++++++++-------------------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/Cargo.toml b/Cargo.toml index 4b3dec28..fa43f384 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -4,7 +4,7 @@ resolver = "2" [workspace.package] -version = "0.4.0" +version = "0.5.0" authors = ["arkworks contributors"] description = "A library for constructing polynomial commitment schemes for use in zkSNARKs" repository = "https://github.com/arkworks-rs/poly-commit" @@ -16,14 +16,14 @@ license = "MIT/Apache-2.0" edition = "2018" [workspace.dependencies] -ark-serialize = { version = "^0.4.0", default-features = false } -ark-ff = { version = "^0.4.0", default-features = false } -ark-ec = { version = "^0.4.0", default-features = false } -ark-poly = { version = "^0.4.0", default-features = false } -ark-crypto-primitives = { version = "^0.4.0", default-features = false } -ark-std = { version = "^0.4.0", default-features = false } -ark-relations = { version = "^0.4.0", default-features = false } -ark-r1cs-std = { version = "^0.4.0", default-features = false } +ark-serialize = { version = "0.5.0", default-features = false } +ark-ff = { version = "0.5.0", default-features = false } +ark-ec = { version = "0.5.0", default-features = false } +ark-poly = { version = "0.5.0", default-features = false } +ark-crypto-primitives = { version = "0.5.0", default-features = false } +ark-std = { version = "0.5.0", default-features = false } +ark-relations = { version = "0.5.0", default-features = false } +ark-r1cs-std = { version = "0.5.0", default-features = false } rand_chacha = { version = "0.3.0", default-features = false } [profile.release] @@ -38,16 +38,16 @@ debug-assertions = true incremental = true debug = true -[patch.crates-io] -ark-std = { git = "https://github.com/arkworks-rs/std/" } -ark-ff = { git = "https://github.com/arkworks-rs/algebra/" } -ark-ec = { git = "https://github.com/arkworks-rs/algebra/" } -ark-serialize = { git = "https://github.com/arkworks-rs/algebra/" } -ark-poly = { git = "https://github.com/arkworks-rs/algebra/" } +# [patch.crates-io] +# ark-std = { git = "https://github.com/arkworks-rs/std/" } +# ark-ff = { git = "https://github.com/arkworks-rs/algebra/" } +# ark-ec = { git = "https://github.com/arkworks-rs/algebra/" } +# ark-serialize = { git = "https://github.com/arkworks-rs/algebra/" } +# ark-poly = { git = "https://github.com/arkworks-rs/algebra/" } -ark-crypto-primitives = { git = "https://github.com/arkworks-rs/crypto-primitives/" } -ark-r1cs-std = { git = "https://github.com/arkworks-rs/r1cs-std/" } +# ark-crypto-primitives = { git = "https://github.com/arkworks-rs/crypto-primitives/" } +# ark-r1cs-std = { git = "https://github.com/arkworks-rs/r1cs-std/" } -ark-bls12-377 = { git = "https://github.com/arkworks-rs/algebra/" } -ark-bls12-381 = { git = "https://github.com/arkworks-rs/algebra/" } -ark-bn254 = { git = "https://github.com/arkworks-rs/algebra/" } +# ark-bls12-377 = { git = "https://github.com/arkworks-rs/algebra/" } +# ark-bls12-381 = { git = "https://github.com/arkworks-rs/algebra/" } +# ark-bn254 = { git = "https://github.com/arkworks-rs/algebra/" } From 135fa293e08169e826b1e27751b41d45fdfcda5d Mon Sep 17 00:00:00 2001 From: mmagician Date: Mon, 28 Oct 2024 14:21:50 +0100 Subject: [PATCH 3/6] bump dev-dependencies versions --- poly-commit/Cargo.toml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/poly-commit/Cargo.toml b/poly-commit/Cargo.toml index 34707fcf..8a0680ee 100644 --- a/poly-commit/Cargo.toml +++ b/poly-commit/Cargo.toml @@ -58,10 +58,10 @@ ahash = { version = "0.8", default-features = false} fnv = { version = "1.0", default-features = false } [dev-dependencies] -ark-ed-on-bls12-381 = { version = "^0.4.0", default-features = false } -ark-bls12-381 = { version = "^0.4.0", default-features = false, features = [ "curve" ] } -ark-bls12-377 = { version = "^0.4.0", default-features = false, features = [ "curve" ] } -ark-bn254 = { version = "^0.4.0", default-features = false, features = [ "curve" ] } +ark-ed-on-bls12-381 = { version = "0.5.0", default-features = false } +ark-bls12-381 = { version = "0.5.0", default-features = false, features = [ "curve" ] } +ark-bls12-377 = { version = "0.5.0", default-features = false, features = [ "curve" ] } +ark-bn254 = { version = "0.5.0", default-features = false, features = [ "curve" ] } rand_chacha = { version = "0.3.0", default-features = false } ark-pcs-bench-templates = { path = "../bench-templates" } From d65b5d32bb2e02b3e8460e1148898f21a6339a23 Mon Sep 17 00:00:00 2001 From: mmagician Date: Mon, 28 Oct 2024 14:22:59 +0100 Subject: [PATCH 4/6] add missing description attribute --- poly-commit/Cargo.toml | 1 + 1 file changed, 1 insertion(+) diff --git a/poly-commit/Cargo.toml b/poly-commit/Cargo.toml index 8a0680ee..f619574e 100644 --- a/poly-commit/Cargo.toml +++ b/poly-commit/Cargo.toml @@ -7,6 +7,7 @@ categories.workspace = true include.workspace = true license.workspace = true edition.workspace = true +description.workspace = true [dependencies] ark-serialize = { workspace = true, features = [ "derive" ] } From 4b712a8dc17383428fe587bf717e6140e393435d Mon Sep 17 00:00:00 2001 From: Hossein Moghaddas Date: Tue, 29 Oct 2024 00:06:02 +0100 Subject: [PATCH 5/6] Merge READMEs (#157) * Merge READMEs * Fix number --- README.md | 108 +++++++++++++++++++++++++++++++++++++- poly-commit/README.md | 117 ------------------------------------------ 2 files changed, 107 insertions(+), 118 deletions(-) delete mode 100644 poly-commit/README.md diff --git a/README.md b/README.md index e851ee1e..50c57af2 100644 --- a/README.md +++ b/README.md @@ -18,7 +18,112 @@ This library provides various constructions of polynomial commitment schemes. Th The key properties satisfied by the polynomial commitment schemes are **succinctness**, **extractability**, and **hiding**. See [the Marlin paper][marlin] for definitions of these properties. -[kzg10]: http://cacr.uwaterloo.ca/techreports/2010/cacr2010-10.pdf +### Supported Polynomial Commitment Schemes + +The library supports six polynomial commitment schemes. + +#### Inner-product-argument PC + +A polynomial commitment scheme based on the hardness of the discrete logarithm problem in prime-order groups. +The construction is described in the following paper. + +[pcd-acc]: https://ia.cr/2020/499 + +[Proof-Carrying Data from Accumulation Schemes][pcd-acc] +Benedikt Bünz, Alessandro Chiesa, Pratyush Mishra, Nicholas Spooner +TCC 2020 + +#### Marlin variant of the Kate-Zaverucha-Goldberg PC + +Polynomial commitment based on the Kate-Zaverucha-Goldberg construction, with degree enforcement, batching, and (optional) hiding property taken from Marlin. +The construction is described in the following papers. + +[Marlin: Preprocessing zkSNARKs with Universal and Updatable SRS][marlin] +Alessandro Chiesa, Yuncong Hu, Mary Maller, Pratyush Mishra, Noah Vesely, Nicholas Ward +EUROCRYPT 2020 + +[Polynomial Commitments][kzg10] +Aniket Kate, Gregory M. Zaverucha, Ian Goldberg +ASIACRYPT 2010 + +#### Sonic/AuroraLight variant of the Kate-Zaverucha-Goldberg PC + +Polynomial commitment based on the Kate-Zaverucha-Goldberg construction, with degree enforcement and batching taken from Sonic (more precisely, their counterparts in AuroraLight that avoid negative G1 powers). The (optional) hiding property of the commitment scheme follows the approach described in Marlin. +The construction is described in the following papers. + +[AuroraLight: Improved Prover Efficiency and SRS Size in a Sonic-Like System][aurora-light] +Ariel Gabizon +ePrint, 2019 + +[Sonic: Zero-Knowledge SNARKs from Linear-Size Universal and Updateable Structured Reference Strings][sonic] +Mary Maller, Sean Bowe, Markulf Kohlweiss, Sarah Meiklejohn +CCS 2019 + +[Marlin: Preprocessing zkSNARKs with Universal and Updatable SRS][marlin] +Alessandro Chiesa, Yuncong Hu, Mary Maller, Pratyush Mishra, Noah Vesely, Nicholas Ward +EUROCRYPT 2020 + +[Polynomial Commitments][kzg10] +Aniket Kate, Gregory M. Zaverucha, Ian Goldberg +ASIACRYPT 2010 + +#### Hyrax multilinear PC + +Multilinear polynomial commitment, introduced with Hyrax zkSNARK. Relies on Pedersen commitments and discrete logarithm problem for a hiding scheme. Construction details in the following paper. + +[Doubly-efficient zkSNARKs without trusted setup][hyrax] +Riad S. Wahby, Ioanna Tzialla, abhi shelat, Justin Thaler, Michael Walfish +2018 IEEE Symposium on Security and Privacy + +#### Ligero and Brakedown + +Polynomial commitments based on linear codes and cryptographic hash functions. Construction details in the following papers. + +[Ligero: Lightweight Sublinear Arguments Without a Trusted Setup][ligero] +Scott Ames, Carmit Hazay, Yuval Ishai, Muthuramakrishnan Venkitasubramaniam +CCS 2017 + +[Brakedown: Linear-time and field-agnostic SNARKs for R1CS][brakedown] +Alexander Golovnev, Jonathan Lee, Srinath Setty, Justin Thaler, Riad S. Wahby +CRYPTO 2023 + +#### Marlin variant of the Papamanthou-Shi-Tamassia multivariate PC + +Multivariate polynomial commitment based on the construction in the Papamanthou-Shi-Tamassia construction with batching and (optional) hiding property inspired by the univariate scheme in Marlin. +The construction is described in the following paper. + +[Signatures of Correct Computation][pst] +Charalampos Papamanthou, Elaine Shi, Roberto Tamassia +TCC 2013 + +[Marlin: Preprocessing zkSNARKs with Universal and Updatable SRS][marlin] +Alessandro Chiesa, Yuncong Hu, Mary Maller, Pratyush Mishra, Noah Vesely, Nicholas Ward +EUROCRYPT 2020 + +### Comparison (WIP) + +#### Comparison of `MarlinKZG10` and `SonicKZG10` + + +- High-level: +They handle degree bounds differently. +MarlinPC uses shift powers only in G1 and requires two commitments to enforce degree bounds. +SonicPC uses shift powers in G1 and G2 and requires only one commitment to enforce degree bounds. + +- Setup: +SonicPC additionally computes some G2 elements for shift powers: `(1/\beta)^i H`. This results in a longer verifying key, as shift powers in SonicPC are in G2, while shift powers in Marlin are in G1, and are shared with the "non-shift" powers. + +- Commit: +When there is no degree bound, both are the same. +When there is a degree bound, MarlinPC is more expensive: it needs an additional commitment to commit to the shifted poynomial. + +- Open: +When there is no degree bound, both are the same. +When there is a degree bound, MarlinPC is slightly more expensive: it requires more scalar field computations. + +- Check: +MarlinPC simply adjusts the commitment of the shifted polynomial, so the overhead is small. It checks a pairing equation with two pairing operations. +SonicPC is more expensive, as it checks a pairing equation of three pairing operations. It can be reduced into two if there is no degree bound. ## Build guide @@ -178,6 +283,7 @@ This library is licensed under either of the following licenses, at your discret Unless you explicitly state otherwise, any contribution that you submit to this library shall be dual licensed as above (as defined in the Apache v2 License), without any additional terms or conditions. +[kzg10]: http://cacr.uwaterloo.ca/techreports/2010/cacr2010-10.pdf [marlin]: https://ia.cr/2019/1047 [sonic]: https://ia.cr/2019/099 [aurora-light]: https://ia.cr/2019/601 diff --git a/poly-commit/README.md b/poly-commit/README.md deleted file mode 100644 index e2e3d0fc..00000000 --- a/poly-commit/README.md +++ /dev/null @@ -1,117 +0,0 @@ -## Supported Polynomial Commitment Schemes - -The library supports four polynomial commitment schemes. - -### Inner-product-argument PC - -A polynomial commitment scheme based on the hardness of the discrete logarithm problem in prime-order groups. - -The construction is described in the following paper. - -[pcd-acc]: https://ia.cr/2020/499 - -[Proof-Carrying Data from Accumulation Schemes][pcd-acc] -Benedikt Bünz, Alessandro Chiesa, Pratyush Mishra, Nicholas Spooner -TCC 2020 - -### Marlin variant of the Kate-Zaverucha-Goldberg PC - -[kzg10]: http://cacr.uwaterloo.ca/techreports/2010/cacr2010-10.pdf -[marlin]: https://ia.cr/2019/1047 - -Polynomial commitment based on the Kate-Zaverucha-Goldberg construction, with degree enforcement, batching, and (optional) hiding property taken from Marlin. - -The construction is described in the following paper. - -[Marlin: Preprocessing zkSNARKs with Universal and Updatable SRS][marlin] -Alessandro Chiesa, Yuncong Hu, Mary Maller, Pratyush Mishra, Noah Vesely, Nicholas Ward -EUROCRYPT 2020 - -[Polynomial Commitments][kzg10] -Aniket Kate, Gregory M. Zaverucha, Ian Goldberg -ASIACRYPT 2010 - -### Sonic/AuroraLight variant of the Kate-Zaverucha-Goldberg PC - -Polynomial commitment based on the Kate-Zaverucha-Goldberg construction, with degree enforcement and batching taken from Sonic (more precisely, their counterparts in AuroraLight that avoid negative G1 powers). The (optional) hiding property of the commitment scheme follows the approach described in Marlin. - -The construction is described in the following papers. - -[sonic]: https://ia.cr/2019/099 -[aurora-light]: https://ia.cr/2019/601 - -[AuroraLight: Improved Prover Efficiency and SRS Size in a Sonic-Like System][aurora-light] -Ariel Gabizon -ePrint, 2019 - -[Sonic: Zero-Knowledge SNARKs from Linear-Size Universal and Updateable Structured Reference Strings][sonic] -Mary Maller, Sean Bowe, Markulf Kohlweiss, Sarah Meiklejohn -CCS 2019 - -[Marlin: Preprocessing zkSNARKs with Universal and Updatable SRS][marlin] -Alessandro Chiesa, Yuncong Hu, Mary Maller, Pratyush Mishra, Noah Vesely, Nicholas Ward -EUROCRYPT 2020 - -[Polynomial Commitments][kzg10] -Aniket Kate, Gregory M. Zaverucha, Ian Goldberg -ASIACRYPT 2010 - -### Hyrax multilinear PC - -Polynomial commitment scheme introduced together with the Hyrax zkSNARK (in [this](https://eprint.iacr.org/2017/1132) article). It is based on Pedersen commitments and therefore relies on the difficulty of the discrete logarithm problem in order to provide a hiding PCS. - -[Doubly-efficient zkSNARKs without trusted setup][hyrax] -Riad S. Wahby, Ioanna Tzialla, abhi shelat, Justin Thaler, Michael Walfish -2018 IEEE Symposium on Security and Privacy - -[hyrax]: https://eprint.iacr.org/2017/1132 - -### Marlin variant of the Papamanthou-Shi-Tamassia multivariate PC - -Multivariate polynomial commitment based on the construction in the Papamanthou-Shi-Tamassia construction with batching and (optional) hiding property inspired by the univariate scheme in Marlin. - -The construction is described in the following paper. - -[pst]: https://ia.cr/2011/587 - -[Signatures of Correct Computation][pst] -Charalampos Papamanthou, Elaine Shi, Roberto Tamassia -TCC 2013 - -[Marlin: Preprocessing zkSNARKs with Universal and Updatable SRS][marlin] -Alessandro Chiesa, Yuncong Hu, Mary Maller, Pratyush Mishra, Noah Vesely, Nicholas Ward -EUROCRYPT 2020 - -## Comparison - -### Comparison of `MarlinKZG10` and `SonicKZG10` - - -#### High-level: -They handle degree bounds differently. - -MarlinPC uses shift powers only in G1 and requires two commitments to enforce degree bounds. - -SonicPC uses shift powers in G1 and G2 and requires only one commitment to enforce degree bounds. - -#### Setup: - -SonicPC additionally computes some G2 elements for shift powers: `(1/\beta)^i H`. This results in a longer verifying key, as shift powers in SonicPC are in G2, while shift powers in Marlin are in G1, and are shared with the "non-shift" powers. - -#### Commit: - -When there is no degree bound, both are the same. - -When there is a degree bound, MarlinPC is more expensive: it needs an additional commitment to commit to the shifted poynomial. - -#### Open: - -When there is no degree bound, both are the same. - -When there is a degree bound, MarlinPC is slightly more expensive: it requires more scalar field computations. - -#### Check: - -MarlinPC simply adjusts the commitment of the shifted polynomial, so the overhead is small. It checks a pairing equation with two pairing operations. - -SonicPC is more expensive, as it checks a pairing equation of three pairing operations. It can be reduced into two if there is no degree bound. From 3027536a06717d11cc0c6c629d9663330ac64c70 Mon Sep 17 00:00:00 2001 From: mmagician Date: Tue, 29 Oct 2024 10:26:04 +0100 Subject: [PATCH 6/6] symlink readme --- poly-commit/README.md | 1 + poly-commit/src/lib.rs | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) create mode 120000 poly-commit/README.md diff --git a/poly-commit/README.md b/poly-commit/README.md new file mode 120000 index 00000000..32d46ee8 --- /dev/null +++ b/poly-commit/README.md @@ -0,0 +1 @@ +../README.md \ No newline at end of file diff --git a/poly-commit/src/lib.rs b/poly-commit/src/lib.rs index 4e3cb498..8a2381fe 100644 --- a/poly-commit/src/lib.rs +++ b/poly-commit/src/lib.rs @@ -9,7 +9,7 @@ #![deny(renamed_and_removed_lints, stable_features, unused_allocation)] #![deny(unused_comparisons, bare_trait_objects, unused_must_use)] #![forbid(unsafe_code)] -#![doc = include_str!("../../README.md")] +#![doc = include_str!("../README.md")] #[allow(unused)] #[macro_use]