Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Batmend - initial commit #1

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions IOPattern_four_vars.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
A32merkle_digest Blake3Digest([63, 79, 203, 228, 52, 30, 199, 199, 234, 246, 209, 75, 91, 122, 207, 37, 190, 102, 139, 46, 61, 199, 160, 242, 56, 91, 182, 190, 221, 238, 217, 28])
S40ood_query 496090556472482157227124295107730874349425066829199419478
A24ood_ans 2008192582585769878732808870209185571505559560108270735214
S40initial_combination_randomness 1036223778987892531367586015394337774991542045768540530803
A72sumcheck_poly [2863748321830604872201480993629500363419834369787534307757, 2945983431744485097996296476752932074456849537878124912066, 489246492537795930881113147635491002420827836642500856917]
S40folding_randomness 2842015537352596079637993377988221303060110461005914387427
A72sumcheck_poly [2743206174876103998924571611202687838381591615517130945377, 570732556324652042166037468384925958058155140204244065662, 1491137860541706754817329273032439961182182737937342041275]
S40folding_randomness 2580360515837486253372628039817129790250507520031217874285
A72sumcheck_poly [2942206771197855713387737024755535428961741405408064982484, 1202116672411398598941720713031395409374339518216725737062, 328392026248393198715004963262356684314161153106063479961]
S40folding_randomness 3764298373090849832915598184584490622110517971750793964102
A72sumcheck_poly [2750283827762927940432477045411790725017552549124145139352, 671716911091839700876144772915585284963678682644866181507, 2648944189836157012233167322522553685259104719071896991970]
S40folding_randomness 2244059385584586179131745187878113578425923828465382379028
A24final_coeffs
S32final_queries_seed
S32pow_queries
A8pow-nonce
41 changes: 41 additions & 0 deletions output.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
IOPattern: IOPattern("🌪\u{fe0f}\0A32merkle_digest\0S40ood_query\0A24ood_ans\0S40initial_combination_randomness\0A72sumcheck_poly\0S40folding_randomness\0A72sumcheck_poly\0S40folding_randomness\0A72sumcheck_poly\0S40folding_randomness\0A72sumcheck_poly\0S40folding_randomness\0A24final_coeffs\0S32final_queries_seed\0S32pow_queries\0A8pow-nonce")
=========================================
Whir (PCS) 🌪️
Field: Field192 and MT: Blake3
Number of variables: 4, folding factor: 4
Security level: 100 bits using ConjectureList security and 2 bits of PoW
initial_folding_pow_bits: 0
final_queries: 98, final_rate: 2^-1, final_pow_bits: 2, final_folding_pow_bits: 0
------------------------------------
Round by round soundness analysis:
------------------------------------
175.0 bits -- OOD commitment
184.0 bits -- (x4) prox gaps: 185.0, sumcheck: 184.0, pow: 0.0
100.0 bits -- query error: 98.0, pow: 2.0

Points [MultilinearPoint([0, 0, 0, 0])]
Evaluations [0]
Prover is adding SumcheckPolynomial { n_variables: 1, evaluations: [2863748321830604872201480993629500363419834369787534307757, 2945983431744485097996296476752932074456849537878124912066, 489246492537795930881113147635491002420827836642500856917] }
Prover is adding folding randomness 2842015537352596079637993377988221303060110461005914387427
Prover is adding SumcheckPolynomial { n_variables: 1, evaluations: [2743206174876103998924571611202687838381591615517130945377, 570732556324652042166037468384925958058155140204244065662, 1491137860541706754817329273032439961182182737937342041275] }
Prover is adding folding randomness 2580360515837486253372628039817129790250507520031217874285
Prover is adding SumcheckPolynomial { n_variables: 1, evaluations: [2942206771197855713387737024755535428961741405408064982484, 1202116672411398598941720713031395409374339518216725737062, 328392026248393198715004963262356684314161153106063479961] }
Prover is adding folding randomness 3764298373090849832915598184584490622110517971750793964102
Prover is adding SumcheckPolynomial { n_variables: 1, evaluations: [2750283827762927940432477045411790725017552549124145139352, 671716911091839700876144772915585284963678682644866181507, 2648944189836157012233167322522553685259104719071896991970] }
Prover is adding folding randomness 2244059385584586179131745187878113578425923828465382379028
The Root is: Blake3Digest([63, 79, 203, 228, 52, 30, 199, 199, 234, 246, 209, 75, 91, 122, 207, 37, 190, 102, 139, 46, 61, 199, 160, 242, 56, 91, 182, 190, 221, 238, 217, 28])
The OOD query is: [496090556472482157227124295107730874349425066829199419478]
The OOD answer is: [2008192582585769878732808870209185571505559560108270735214]
Initial combination randomness generator is: 1036223778987892531367586015394337774991542045768540530803
Initial sumcheck polynomials: SumcheckPolynomial { n_variables: 1, evaluations: [2863748321830604872201480993629500363419834369787534307757, 2945983431744485097996296476752932074456849537878124912066, 489246492537795930881113147635491002420827836642500856917] }
Initial sumcheck verifier folding randomness: 2842015537352596079637993377988221303060110461005914387427
Initial sumcheck polynomials: SumcheckPolynomial { n_variables: 1, evaluations: [2743206174876103998924571611202687838381591615517130945377, 570732556324652042166037468384925958058155140204244065662, 1491137860541706754817329273032439961182182737937342041275] }
Initial sumcheck verifier folding randomness: 2580360515837486253372628039817129790250507520031217874285
Initial sumcheck polynomials: SumcheckPolynomial { n_variables: 1, evaluations: [2942206771197855713387737024755535428961741405408064982484, 1202116672411398598941720713031395409374339518216725737062, 328392026248393198715004963262356684314161153106063479961] }
Initial sumcheck verifier folding randomness: 3764298373090849832915598184584490622110517971750793964102
Initial sumcheck polynomials: SumcheckPolynomial { n_variables: 1, evaluations: [2750283827762927940432477045411790725017552549124145139352, 671716911091839700876144772915585284963678682644866181507, 2648944189836157012233167322522553685259104719071896991970] }
Initial sumcheck verifier folding randomness: 2244059385584586179131745187878113578425923828465382379028
First polynomial: SumcheckPolynomial { n_variables: 1, evaluations: [2863748321830604872201480993629500363419834369787534307757, 2945983431744485097996296476752932074456849537878124912066, 489246492537795930881113147635491002420827836642500856917] }
Initial combination randomness[1, 1036223778987892531367586015394337774991542045768540530803]
Ans: 2008192582585769878732808870209185571505559560108270735214 Rand: 1
Ans: 0 Rand: 1036223778987892531367586015394337774991542045768540530803
120 changes: 6 additions & 114 deletions src/bin/main.rs
Original file line number Diff line number Diff line change
Expand Up @@ -184,103 +184,8 @@ fn run_whir<F, MerkleConfig>(
{
match args.protocol_type {
WhirType::PCS => run_whir_pcs::<F, MerkleConfig>(args, leaf_hash_params, two_to_one_params),
WhirType::LDT => {
run_whir_as_ldt::<F, MerkleConfig>(args, leaf_hash_params, two_to_one_params)
}
}
}

fn run_whir_as_ldt<F, MerkleConfig>(
args: Args,
leaf_hash_params: <<MerkleConfig as Config>::LeafHash as CRHScheme>::Parameters,
two_to_one_params: <<MerkleConfig as Config>::TwoToOneHash as TwoToOneCRHScheme>::Parameters,
) where
F: FftField + CanonicalSerialize,
MerkleConfig: Config<Leaf = [F]> + Clone,
MerkleConfig::InnerDigest: AsRef<[u8]> + From<[u8; 32]>,
{
use whir::whir_ldt::{
committer::Committer, iopattern::WhirIOPattern, parameters::WhirConfig, prover::Prover,
verifier::Verifier, whir_proof_size,
};

// Runs as a LDT
let security_level = args.security_level;
let pow_bits = args.pow_bits.unwrap();
let num_variables = args.num_variables;
let starting_rate = args.rate;
let reps = args.verifier_repetitions;
let folding_factor = args.folding_factor;
let fold_optimisation = args.fold_optimisation;
let soundness_type = args.soundness_type;

if args.num_evaluations > 1 {
println!("Warning: running as LDT but a number of evaluations to be proven was specified.");
}

let num_coeffs = 1 << num_variables;

let mv_params = MultivariateParameters::<F>::new(num_variables);

let whir_params = WhirParameters::<MerkleConfig, PowStrategy> {
security_level,
pow_bits,
folding_factor,
leaf_hash_params,
two_to_one_params,
soundness_type,
fold_optimisation,
_pow_parameters: Default::default(),
starting_log_inv_rate: starting_rate,
};

let params = WhirConfig::<F, MerkleConfig, PowStrategy>::new(mv_params, whir_params);

let io = IOPattern::<DefaultHash>::new("🌪️")
.commit_statement(&params)
.add_whir_proof(&params)
.clone();

let mut merlin = io.to_merlin();

println!("=========================================");
println!("Whir (LDT) 🌪️");
println!("Field: {:?} and MT: {:?}", args.field, args.merkle_tree);
println!("{}", params);
if !params.check_pow_bits() {
println!("WARN: more PoW bits required than what specified.");
WhirType::LDT => {}
}

use ark_ff::Field;
let polynomial = CoefficientList::new(
(0..num_coeffs)
.map(<F as Field>::BasePrimeField::from)
.collect(),
);

let whir_prover_time = Instant::now();

let committer = Committer::new(params.clone());
let witness = committer.commit(&mut merlin, polynomial).unwrap();

let prover = Prover(params.clone());

let proof = prover.prove(&mut merlin, witness).unwrap();

dbg!(whir_prover_time.elapsed());
dbg!(whir_proof_size(merlin.transcript(), &proof));

// Just not to count that initial inversion (which could be precomputed)
let verifier = Verifier::new(params);

HashCounter::reset();
let whir_verifier_time = Instant::now();
for _ in 0..reps {
let mut arthur = io.to_arthur(merlin.transcript());
verifier.verify(&mut arthur, &proof).unwrap();
}
dbg!(whir_verifier_time.elapsed() / reps as u32);
dbg!(HashCounter::get() as f64 / reps as f64);
}

fn run_whir_pcs<F, MerkleConfig>(
Expand Down Expand Up @@ -335,6 +240,8 @@ fn run_whir_pcs<F, MerkleConfig>(
.add_whir_proof(&params)
.clone();

println!("IOPattern: {:?}", io); //Reilabs Debug:

let mut merlin = io.to_merlin();

println!("=========================================");
Expand All @@ -351,6 +258,7 @@ fn run_whir_pcs<F, MerkleConfig>(
.map(<F as Field>::BasePrimeField::from)
.collect(),
);
// println!("{:?}", polynomial); //Reilabs Debug:
let points: Vec<_> = (0..num_evaluations)
.map(|i| MultilinearPoint(vec![F::from(i as u64); num_variables]))
.collect();
Expand All @@ -363,39 +271,23 @@ fn run_whir_pcs<F, MerkleConfig>(
points,
evaluations,
};

let whir_prover_time = Instant::now();
println!("Points {:?}", statement.points); //Reilabs Debug:
println!("Evaluations {:?}", statement.evaluations); //Reilabs Debug:

let committer = Committer::new(params.clone());
let witness = committer.commit(&mut merlin, polynomial).unwrap();

let prover = Prover(params.clone());

let proof = prover
.prove(&mut merlin, statement.clone(), witness)
.unwrap();

println!("Prover time: {:.1?}", whir_prover_time.elapsed());
println!(
"Proof size: {:.1} KiB",
whir_proof_size(merlin.transcript(), &proof) as f64 / 1024.0
);

// Just not to count that initial inversion (which could be precomputed)
let verifier = Verifier::new(params);

HashCounter::reset();
let whir_verifier_time = Instant::now();
for _ in 0..reps {
let mut arthur = io.to_arthur(merlin.transcript());
verifier.verify(&mut arthur, &statement, &proof).unwrap();
}
println!(
"Verifier time: {:.1?}",
whir_verifier_time.elapsed() / reps as u32
);
println!(
"Average hashes: {:.1}k",
(HashCounter::get() as f64 / reps as f64) / 1000.0
);
}
1 change: 0 additions & 1 deletion src/lib.rs
Original file line number Diff line number Diff line change
Expand Up @@ -8,4 +8,3 @@ pub mod poly_utils; // Utils for polynomials
pub mod sumcheck; // Sumcheck specialised
pub mod utils; // Utils in general
pub mod whir; // The real prover
pub mod whir_ldt; // Whir as a LDT // Shared parameters
2 changes: 2 additions & 0 deletions src/sumcheck/prover_not_skipping.rs
Original file line number Diff line number Diff line change
Expand Up @@ -74,8 +74,10 @@ where

for _ in 0..folding_factor {
let sumcheck_poly = self.sumcheck_prover.compute_sumcheck_polynomial();
println!("Prover is adding {:?}", sumcheck_poly); //Reilabs Debug:
merlin.add_scalars(sumcheck_poly.evaluations())?;
let [folding_randomness]: [F; 1] = merlin.challenge_scalars()?;
println!("Prover is adding folding randomness {:?}", folding_randomness); //Reilabs Debug:
res.push(folding_randomness);

// Do PoW if needed
Expand Down
14 changes: 12 additions & 2 deletions src/whir/verifier.rs
Original file line number Diff line number Diff line change
Expand Up @@ -108,6 +108,7 @@ where
) -> ProofResult<ParsedProof<F>> {
// Derive combination randomness and first sumcheck polynomial
let [combination_randomness_gen]: [F; 1] = arthur.challenge_scalars()?;
println!("Initial combination randomness generator is: {:?}", combination_randomness_gen); //Reilabs Debug:
let initial_combination_randomness = expand_randomness(
combination_randomness_gen,
parsed_commitment.ood_points.len() + statement.points.len(),
Expand All @@ -118,9 +119,10 @@ where
for _ in 0..self.params.folding_factor {
let sumcheck_poly_evals: [F; 3] = arthur.next_scalars()?;
let sumcheck_poly = SumcheckPolynomial::new(sumcheck_poly_evals.to_vec(), 1);
println!("Initial sumcheck polynomials: {:?}", sumcheck_poly); //Reilabs Debug:
let [folding_randomness_single] = arthur.challenge_scalars()?;
println!("Initial sumcheck verifier folding randomness: {:?}", folding_randomness_single); //Reilabs Debug:
sumcheck_rounds.push((sumcheck_poly, folding_randomness_single));

if self.params.starting_folding_pow_bits > 0. {
arthur.challenge_pow::<PowStrategy>(self.params.starting_folding_pow_bits)?;
}
Expand Down Expand Up @@ -451,20 +453,28 @@ where
// We first do a pass in which we rederive all the FS challenges
// Then we will check the algebraic part (so to optimise inversions)
let parsed_commitment = self.parse_commitment(arthur)?;
println!("The Root is: {:?}", parsed_commitment.root); //Reilabs Debug:
println!("The OOD query is: {:?}", parsed_commitment.ood_points); //Reilabs Debug:
println!("The OOD answer is: {:?}", parsed_commitment.ood_answers); //Reilabs Debug:
let parsed = self.parse_proof(arthur, &parsed_commitment, statement, whir_proof)?;

let computed_folds = self.compute_folds(&parsed);

// Check the first polynomial
let (mut prev_poly, mut randomness) = parsed.initial_sumcheck_rounds[0].clone();
println!("First polynomial: {:?}", prev_poly); //Reilabs Debug
println!("Initial combination randomness{:?}", parsed.initial_combination_randomness); //Reilabs Debug:
if prev_poly.sum_over_hypercube()
!= parsed_commitment
.ood_answers
.iter()
.copied()
.chain(statement.evaluations.clone())
.zip(&parsed.initial_combination_randomness)
.map(|(ans, rand)| ans * rand)
.map(|(ans, rand)| {
println!("Ans: {:?} Rand: {:?}", ans, rand); //Reilabs Debug:
ans * rand
})
.sum()
{
return Err(ProofError::InvalidProof);
Expand Down