a generic Trait for both ml and uni KZG #43
Conversation
|
Would also like some input from @alxiong on the APIs for PCS trait |
There was a problem hiding this comment.
@zhenfeizhang I only checked the multilinear KZG part, do I also need to check the univariate KZG part?
Yes please. |
|
|
||
| /// Input a list of polynomials, and a same number of points, | ||
| /// compute a multi-opening for all the polynomials. | ||
| fn multi_open( |
There was a problem hiding this comment.
This is a naive approach, do we want to add a TODO to implement the more efficient batch opening algorithm? (e.g., the appendix C.4 in https://eprint.iacr.org/2020/1536.pdf)
There was a problem hiding this comment.
I think we do (BTW our Jellyfish didn't use this either)
There was a problem hiding this comment.
fixed in ff2e7a9
There was a problem hiding this comment.
Thanks, can you also add an issue for this?
| use ark_ec::{msm::FixedBaseMSM, AffineCurve, PairingEngine, ProjectiveCurve}; | ||
| use ark_ff::{Field, PrimeField}; | ||
| use ark_poly::DenseMultilinearExtension; | ||
| use ark_ec::{AffineCurve, PairingEngine}; |
There was a problem hiding this comment.
why do we still keep this file param.rs?
There was a problem hiding this comment.
nice catch. removed in #39
| pub struct Commitment<E: PairingEngine> { | ||
| /// the actual commitment is an affine point. | ||
| pub commitment: E::G1Affine, | ||
| } |
There was a problem hiding this comment.
Personally, I don't think defining this struct is necessary. (maybe just a matter of preference)
- in
xxx-kzg/mod.rswe could directlytype Commitment = E::G1Affine. The indirection introduced by this struct is not useful
There was a problem hiding this comment.
sounds good to me
|
|
||
| /// Generate a commitment for a polynomial | ||
| fn commit( | ||
| prover_param: &Self::ProverParam, | ||
| poly: &impl MultilinearExtension<E::Fr>, | ||
| poly: &Self::Polynomial, | ||
| ) -> Result<Self::Commitment, PCSErrors>; |
There was a problem hiding this comment.
- We should have associated
type Errorinstead of concretePCSError - Our
enum PCSError::PolyIOPError(_)seems strange.
There was a problem hiding this comment.
Nice catch. It use PolyIOPError because IOPTranscript is implemented in PolyIOP. I now think we should have a separate crate and trait for Transcript and that should simplify things.
There was a problem hiding this comment.
fixed with #46
There was a problem hiding this comment.
#46 only fixed the second point, right?
The first point is still yet to be addressed.
| // Parameters | ||
| type ProverParam; | ||
| type VerifierParam; | ||
| type SRS; |
There was a problem hiding this comment.
This can shorten as type SRS: StructuredReferenceString<E> ?
and Self::ProverParam is just <Self::SRS as StructuredReferenceString>::ProverParam.
There was a problem hiding this comment.
no we cannot.
SRS for multilinear KZG is a tuple (MultiliearUniversalParams, UnivariateUniversalParams) and it does not have <Self::SRS as StructuredReferenceString>::ProverParam
|
|
||
| pub trait MultilinearCommitmentScheme<E: PairingEngine> { | ||
| /// This trait defines APIs for polynomial commitment schemes. | ||
| /// Note that for our usage of PCS, we do not require the hiding property. |
There was a problem hiding this comment.
interesting, if we want a general API/traits, why not consider the cases where we do need hiding?
If we consider hiding, then two things:
- our
Polynomialbetter be aLabeledPolynomial(at least something of similar spirit?) - we need to pass in an
rngtocommit()etc.
There was a problem hiding this comment.
I think we can leave this as an TODO for future. We do not currently need hiding property.
| /// WARNING: THIS FUNCTION IS FOR TESTING PURPOSE ONLY. | ||
| /// THE OUTPUT SRS SHOULD NOT BE USED IN PRODUCTION. | ||
| fn setup<R: RngCore>(rng: &mut R, num_vars: usize) -> Result<Self::SRS, PCSErrors>; | ||
| fn gen_srs_for_testing<R: RngCore>( |
There was a problem hiding this comment.
- Not sure why we use
RngCorerather thanRng - can provide a default implementation: by invoking SRS's
gen_srs_for_testing
There was a problem hiding this comment.
can provide a default implementation: by invoking SRS's gen_srs_for_testing
no. SRS may not be a single universal parameter.
| // Polynomial and its associated types | ||
| type Polynomial; | ||
| type Point; | ||
| type Evaluation; |
There was a problem hiding this comment.
why is type Evaluation necessary? isn't it always E::Fr?
especially when our verify() and batch_verify() taking a value: E::Fr or values: &[E::Fr] directly.
| fn batch_verify<R: RngCore>( | ||
| verifier_param: &Self::VerifierParam, | ||
| multi_commitment: &Self::Commitment, | ||
| points: &[&[E::Fr]], | ||
| multi_commitment: &Self::BatchCommitment, | ||
| points: &[Self::Point], | ||
| values: &[E::Fr], | ||
| batch_proof: &Self::BatchProof, | ||
| transcript: &mut IOPTranscript<E::Fr>, | ||
| rng: &mut R, |
There was a problem hiding this comment.
it's strange to only have batch_verify() taking an rng as input.
imo either both verify() and batch_verify() takes an optional rng, or both takes rngs but not necessarily use it.
I understand that usually only during batching, you need a randomizer to combine all opening proofs/statements. But one could implement a deterministic batch verification just by verifying one by one as well.
Therefore imo, the two variants of verify API should resemble each other in this regard.
There was a problem hiding this comment.
@chancharles92 Can we remove rng and use FS to deterministically derive randomness?
it makes more sense to have deterministic verification algorithm.
@zhenfeizhang mentioned that altho heuristically it should be fine, we don't have a rigorous proof.
No description provided.