ark_poly_commit::hyrax

Struct HyraxPC

Source 
pub struct HyraxPC<G: AffineRepr, P: MultilinearExtension<G::ScalarField>> { /* private fields */ }
Expand description

Hyrax polynomial committment scheme: A polynomial commitment scheme based on the hardness of the discrete logarithm problem in prime-order groups. This is a Fiat-Shamired version of the PCS described in the Hyrax paper [WTsTW17].

§Future optimisations

  • Add parallelisation. There is at least one natural place where parallelisation could bring performance gains: in essence, the prover commits to the polynomial by expressing it as an evaluation matrix and Pederson-multi-committing to each row. Each of this commitments can be computed independently from the rest, and therefore, in parallel. It is still to be seen how much of an improvement this would entail, since each Pederson multi-commitment boils down to a multi-exponentiation and this operation is itself parallelised.
  • Due to the homomorphic nature of Pedersen commitments, it is likely some of the following methods can be designed more efficiently than their default implementations: batch_open, batch_check, open_combinations, check_combinations. This is not discussed in the reference article, but the IPA and KZG modules might be a good starting point.
  • On a related note to the previous point, there might be a more efficient way to open several polynomials at a single point (this is the functionality of the open method) than the currently implemented technique, where only the computation of the vectors L and R is shared across polynomials.
  • The cited article proposes an optimisation in the section Reducing the cost of proof-of-dot-prod. It allows for non-square matrices (and hence removes the requirement for the number of variables to be even) and introduces a tradeoff between proof size and verifier time. It is probably worth pursuing.

Trait Implementations§

Source§

impl<G, P> PolynomialCommitment<<G as AffineRepr>::ScalarField, P> for HyraxPC<G, P>
where G: AffineRepr, G::ScalarField: Absorb, P: MultilinearExtension<G::ScalarField>,

Source§

fn setup<R: RngCore>( _max_degree: usize, num_vars: Option<usize>, _rng: &mut R, ) -> Result<Self::UniversalParams, Self::Error>

Outputs mock universal parameters for the Hyrax polynomial commitment scheme. It does not return random keys across calls and should never be used in settings where security is required - it is only useful for testing.

§Panics

Panics if num_vars is None or contains an odd value.

Source§

fn trim( pp: &Self::UniversalParams, _supported_degree: usize, _supported_hiding_bound: usize, _enforced_degree_bounds: Option<&[usize]>, ) -> Result<(Self::CommitterKey, Self::VerifierKey), Self::Error>

Trims a key into a prover key and a verifier key. This should only amount to discarding some of the points in said key if the prover and verifier only wish to commit to polynomials with fewer variables than the key can support. Since the number of variables is not considered in the prototype, this function currently simply clones the key.

Source§

fn commit<'a>( ck: &Self::CommitterKey, polynomials: impl IntoIterator<Item = &'a LabeledPolynomial<G::ScalarField, P>>, rng: Option<&mut dyn RngCore>, ) -> Result<(Vec<LabeledCommitment<Self::Commitment>>, Vec<Self::CommitmentState>), Self::Error>
where P: 'a,

Produces a list of commitments to the passed polynomials. Cf. the section “Square-root commitment scheme” from the reference article.

§Panics

Panics if rng is None, since Hyrax requires randomness in order to commit to a polynomial

Source§

fn open<'a>( ck: &Self::CommitterKey, labeled_polynomials: impl IntoIterator<Item = &'a LabeledPolynomial<G::ScalarField, P>>, commitments: impl IntoIterator<Item = &'a LabeledCommitment<Self::Commitment>>, point: &'a P::Point, sponge: &mut impl CryptographicSponge, states: impl IntoIterator<Item = &'a Self::CommitmentState>, rng: Option<&mut dyn RngCore>, ) -> Result<Self::Proof, Self::Error>
where Self::Commitment: 'a, Self::CommitmentState: 'a, P: 'a,

Opens a list of polynomial commitments at a desired point. This requires the list of original polynomials (labeled_polynomials) as well as the random values using by the Pedersen multi-commits during the commitment phase (randomness). Cf. sections “Square-root commitment scheme” and appendix A.2 from the reference article.

§Panics

Panics if

  • rng is None, since Hyrax requires randomness in order to open the commitment to a polynomial.
  • The point doesn’t have an even number of variables.
  • The labels of a commitment doesn’t match that of the corresponding polynomial.
  • The number of variables of a polynomial doesn’t match that of the point.
Source§

fn check<'a>( vk: &Self::VerifierKey, commitments: impl IntoIterator<Item = &'a LabeledCommitment<Self::Commitment>>, point: &'a P::Point, _values: impl IntoIterator<Item = G::ScalarField>, proof: &Self::Proof, sponge: &mut impl CryptographicSponge, _rng: Option<&mut dyn RngCore>, ) -> Result<bool, Self::Error>
where Self::Commitment: 'a,

Verifies a list of opening proofs and confirms the evaluation of the committed polynomials at the desired point.

§Panics
  • If the point doesn’t have an even number of variables.
  • If the length of a commitment does not correspond to the length of the point (specifically, commitment length should be 2^(point-length/2)).
§Disregarded arguments
  • rng
Source§

type UniversalParams = HyraxUniversalParams<G>

The universal parameters for the commitment scheme. These are “trimmed” down to Self::CommitterKey and Self::VerifierKey by Self::trim.
Source§

type CommitterKey = HyraxUniversalParams<G>

The committer key for the scheme; used to commit to a polynomial and then open the commitment to produce an evaluation proof.
Source§

type VerifierKey = HyraxUniversalParams<G>

The verifier key for the scheme; used to check an evaluation proof.
Source§

type Commitment = HyraxCommitment<G>

The commitment to a polynomial.
Source§

type CommitmentState = HyraxCommitmentState<<G as AffineRepr>::ScalarField>

Auxiliary state of the commitment, output by the commit phase. It contains information that can be reused by the committer during the open phase, such as the commitment randomness. Not to be shared with the verifier.
Source§

type Proof = Vec<HyraxProof<G>>

The evaluation proof for a single point.
Source§

type BatchProof = Vec<<HyraxPC<G, P> as PolynomialCommitment<<G as AffineRepr>::ScalarField, P>>::Proof>

The evaluation proof for a query set.
Source§

type Error = Error

The error type for the scheme.
Source§

fn batch_open<'a>( ck: &Self::CommitterKey, labeled_polynomials: impl IntoIterator<Item = &'a LabeledPolynomial<F, P>>, commitments: impl IntoIterator<Item = &'a LabeledCommitment<Self::Commitment>>, query_set: &QuerySet<P::Point>, sponge: &mut impl CryptographicSponge, states: impl IntoIterator<Item = &'a Self::CommitmentState>, rng: Option<&mut dyn RngCore>, ) -> Result<Self::BatchProof, Self::Error>
where P: 'a, Self::CommitmentState: 'a, Self::Commitment: 'a,

Open several polynomials at one or more points each (possibly different for each polynomial). Each entry in the in the query set of points contains the label of the polynomial which should be queried at that point. Read more
Source§

fn batch_check<'a, R: RngCore>( vk: &Self::VerifierKey, commitments: impl IntoIterator<Item = &'a LabeledCommitment<Self::Commitment>>, query_set: &QuerySet<P::Point>, evaluations: &Evaluations<P::Point, F>, proof: &Self::BatchProof, sponge: &mut impl CryptographicSponge, rng: &mut R, ) -> Result<bool, Self::Error>
where Self::Commitment: 'a,

Verify opening proofs for several polynomials at one or more points each (possibly different for each polynomial). Each entry in the query set of points contains the label of the polynomial which was queried at that point. Read more
Source§

fn open_combinations<'a>( ck: &Self::CommitterKey, linear_combinations: impl IntoIterator<Item = &'a LinearCombination<F>>, polynomials: impl IntoIterator<Item = &'a LabeledPolynomial<F, P>>, commitments: impl IntoIterator<Item = &'a LabeledCommitment<Self::Commitment>>, query_set: &QuerySet<P::Point>, sponge: &mut impl CryptographicSponge, states: impl IntoIterator<Item = &'a Self::CommitmentState>, rng: Option<&mut dyn RngCore>, ) -> Result<BatchLCProof<F, Self::BatchProof>, Self::Error>
where Self::CommitmentState: 'a, Self::Commitment: 'a, P: 'a,

Open commitments to all polynomials involved in a number of linear combinations (LC) simultaneously.
Source§

fn check_combinations<'a, R: RngCore>( vk: &Self::VerifierKey, linear_combinations: impl IntoIterator<Item = &'a LinearCombination<F>>, commitments: impl IntoIterator<Item = &'a LabeledCommitment<Self::Commitment>>, eqn_query_set: &QuerySet<P::Point>, eqn_evaluations: &Evaluations<P::Point, F>, proof: &BatchLCProof<F, Self::BatchProof>, sponge: &mut impl CryptographicSponge, rng: &mut R, ) -> Result<bool, Self::Error>
where Self::Commitment: 'a,

Verify opening proofs for all polynomials involved in a number of linear combinations (LC) simultaneously.

Auto Trait Implementations§

§

impl<G, P> Freeze for HyraxPC<G, P>

§

impl<G, P> RefUnwindSafe for HyraxPC<G, P>
where G: RefUnwindSafe, P: RefUnwindSafe,

§

impl<G, P> Send for HyraxPC<G, P>
where P: Send,

§

impl<G, P> Sync for HyraxPC<G, P>

§

impl<G, P> Unpin for HyraxPC<G, P>
where G: Unpin, P: Unpin,

§

impl<G, P> UnwindSafe for HyraxPC<G, P>
where G: UnwindSafe, P: UnwindSafe,

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> IntoEither for T

Source§

fn into_either(self, into_left: bool) -> Either<Self, Self>

Converts self into a Left variant of Either<Self, Self> if into_left is true. Converts self into a Right variant of Either<Self, Self> otherwise. Read more
Source§

fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
where F: FnOnce(&Self) -> bool,

Converts self into a Left variant of Either<Self, Self> if into_left(&self) returns true. Converts self into a Right variant of Either<Self, Self> otherwise. Read more
Source§

impl<T> Pointable for T

Source§

const ALIGN: usize

The alignment of pointer.
Source§

type Init = T

The type for initializers.
Source§

unsafe fn init(init: <T as Pointable>::Init) -> usize

Initializes a with the given initializer. Read more
Source§

unsafe fn deref<'a>(ptr: usize) -> &'a T

Dereferences the given pointer. Read more
Source§

unsafe fn deref_mut<'a>(ptr: usize) -> &'a mut T

Mutably dereferences the given pointer. Read more
Source§

unsafe fn drop(ptr: usize)

Drops the object pointed to by the given pointer. Read more
Source§

impl<T> Same for T

Source§

type Output = T

Should always be Self
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
Source§

impl<V, T> VZip<V> for T
where V: MultiLane<T>,

Source§

fn vzip(self) -> V