Expand description
Ligerito polynomial commitment scheme implementation
Based on the paper by Andrija Novakovic and Guillermo Angeris: https://angeris.github.io/papers/ligerito.pdf
§Features
std(default): Enable standard library supportprover(default): Include proving functionalityverifier-only: Only include verifier (minimal dependencies)parallel(default): Enable parallel processing with rayonhardware-accel(default): Enable SIMD acceleration for binary field operationswebgpu(optional): GPU-accelerated proving via WebGPU (experimental)cli: Enable CLI binary
§Backend Selection
The prover can use different computational backends:
- CPU backend (default): Uses SIMD when
hardware-accelis enabled - GPU backend: Available with
webgpufeature, automatically falls back to CPU on failure
Control via environment variable:
LIGERITO_BACKEND=cpu # Force CPU
LIGERITO_BACKEND=gpu # Prefer GPU, fallback to CPU
LIGERITO_BACKEND=auto # Auto-detect (default)§Performance Optimizations
§Current Implementation
Uses Reed-Solomon codes over binary extension fields for all rounds:
- Round 1 (G₁): Reed-Solomon over F₂³² with 148 queries
- Rounds 2-ℓ (G₂…Gₗ): Reed-Solomon over F₂¹²⁸ with 148 queries each
This provides excellent proof sizes (147 KB for 2²⁰ polynomial) and good performance on platforms with SIMD support.
§Future WASM Optimization (Not Yet Implemented)
For WASM targets without SIMD support, a Repeat-Accumulate-Accumulate (RAA) code could be used for the first round (G₁) as described in the paper:
- G₁: RAA code over F₂⁸ (no multiplications, just XORs and accumulates)
- G₂…Gₗ: Reed-Solomon over F₂¹²⁸ (unchanged)
§RAA Tradeoffs
- ✅ 5-10x faster proving in WASM (no field multiplications needed)
- ✅ Smaller field (F₂⁸ vs F₂³²) reduces memory bandwidth
- ❌ More queries needed (1060 vs 148 for 100-bit security due to worse distance)
- ❌ Slightly larger proofs (~165 KB vs 147 KB for 2²⁰)
- ⚠️ Requires GKR construction from [Bre+24] to avoid RAA generation bottleneck
This optimization makes sense primarily for browser-based proving where user experience (proving time) matters more than proof size. For native code with SIMD, pure Reed-Solomon is faster and produces smaller proofs.
§Examples
ⓘ
use ligerito::{prove, verify, hardcoded_config_20, hardcoded_config_20_verifier};
use ligerito_binary_fields::{BinaryElem32, BinaryElem128};
use std::marker::PhantomData;
let config = hardcoded_config_20(
PhantomData::<BinaryElem32>,
PhantomData::<BinaryElem128>,
);
let poly: Vec<BinaryElem32> = vec![BinaryElem32::from(42); 1 << 20];
let proof = prove(&config, &poly).unwrap();
let verifier_config = hardcoded_config_20_verifier();
let valid = verify(&verifier_config, &proof).unwrap();
assert!(valid);Re-exports§
pub use data_structures::FinalizedLigeritoProof;pub use data_structures::VerifierConfig;pub use data_structures::ProverConfig;pub use configs::hardcoded_config_12_verifier;pub use configs::hardcoded_config_16_verifier;pub use configs::hardcoded_config_20_verifier;pub use configs::hardcoded_config_24_verifier;pub use configs::hardcoded_config_26_verifier;pub use configs::hardcoded_config_28_verifier;pub use configs::hardcoded_config_30_verifier;pub use configs::hardcoded_config_12;pub use configs::hardcoded_config_16;pub use configs::hardcoded_config_20;pub use configs::hardcoded_config_24;pub use configs::hardcoded_config_26;pub use configs::hardcoded_config_28;pub use configs::hardcoded_config_30;pub use autosizer::config_info;pub use autosizer::config_info_for_log_size;pub use autosizer::verifier_config_for_log_size;pub use autosizer::verifier_config_for_size;pub use autosizer::ConfigInfo;pub use autosizer::MAX_LOG_SIZE;pub use autosizer::MIN_LOG_SIZE;pub use autosizer::prover_config_for_log_size;pub use autosizer::prover_config_for_size;pub use prover::prove;pub use prover::prove_sha256;pub use prover::prove_with_evaluations;pub use prover::prove_with_transcript;pub use sumcheck_verifier::SumcheckError;pub use transcript::FiatShamir;pub use transcript::Sha256Transcript;pub use transcript::Transcript;pub use transcript::TranscriptType;pub use verifier::verify;pub use verifier::verify_complete;pub use verifier::verify_complete_sha256;pub use verifier::verify_debug;pub use verifier::verify_sha256;pub use verifier::verify_with_evaluations;pub use verifier::verify_with_transcript;pub use verifier::EvalVerifyResult;pub use transcript::MerlinTranscript;pub use data_structures::*;
Modules§
- autosizer
- Automatic configuration selection for polynomial sizes 2^20 to 2^30
- backend
- Backend abstraction for CPU/GPU acceleration
- configs
- Hardcoded configurations for different proof sizes
- cpu_
affinity - CPU core affinity utilities for benchmarking
- data_
structures - eval_
proof - Sumcheck-based evaluation proofs for Ligerito polynomial commitments.
- ligero
- prover
- sumcheck_
polys - sumcheck_
verifier - transcript
- Fiat-Shamir transcript implementations with 0-based indexing
- utils
- Utility functions for Ligerito - FINAL FIXED VERSION
- verifier
Enums§
- Ligerito
Error - Error types for Ligerito
Functions§
- prover
- Main prover function (uses Merlin transcript by default)
Only available with the
proverfeature - verifier
- Main verifier function (uses Merlin transcript by default) Always available