Add support for odd powers of two in sqrt pst

Cargo.toml

@@ -72,7 +72,7 @@ parallel = [ "std", "ark-ff/parallel", "ark-std/parallel", "ark-ec/parallel", "a
 std = ["ark-ff/std", "ark-ec/std", "ark-std/std", "ark-relations/std", "ark-serialize/std"]
 
 [patch.crates-io]
-ark-poly-commit = {git = "https://github.com/cryptonetlab/ark-polycommit", branch="feat/pst_on_g2"}
+ark-poly-commit = {git = "https://github.com/cryptonetlab/ark-polycommit", branch="feat/variable-crs"}
 ark-groth16 = { git = "https://github.com/arkworks-rs/groth16" }
 blstrs = { git = "https://github.com/nikkolasg/blstrs", branch = "feat/arkwork" }
 ark-ec = { git = "https://github.com/vmx/algebra", branch = "affine-repr-xy-owned" }

benches/testudo.rs

@@ -52,7 +52,7 @@ where
   E::ScalarField: Absorb,
 {
   let mut writer = csv::Writer::from_path(file_name).expect("unable to open csv writer");
-  for &s in [4, 10, 12, 14, 16, 18, 20, 22, 24, 26].iter() {
+  for &s in [4, 5, 10, 12, 14, 16, 18, 20, 22, 24, 26].iter() {
     println!("Running for {} inputs", s);
     let mut br = BenchmarkResults::default();
     let num_vars = (2_usize).pow(s as u32);

src/constraints.rs

@@ -229,6 +229,7 @@ pub struct R1CSVerificationCircuit<F: PrimeField> {
   pub sc_phase1: SumcheckVerificationCircuit<F>,
   pub sc_phase2: SumcheckVerificationCircuit<F>,
   // The point on which the polynomial was evaluated by the prover.
+  pub claimed_rx: Vec<F>,
   pub claimed_ry: Vec<F>,
   pub claimed_transcript_sat_state: F,
 }
@@ -251,6 +252,7 @@ impl<F: PrimeField> R1CSVerificationCircuit<F> {
       sc_phase2: SumcheckVerificationCircuit {
         polys: config.polys_sc2.clone(),
       },
+      claimed_rx: config.rx.clone(),
       claimed_ry: config.ry.clone(),
       claimed_transcript_sat_state: config.transcript_sat_state,
     }
@@ -284,6 +286,12 @@ impl<F: PrimeField> ConstraintSynthesizer<F> for R1CSVerificationCircuit<F> {
       .map(|i| FpVar::<F>::new_variable(cs.clone(), || Ok(i), AllocationMode::Input).unwrap())
       .collect::<Vec<FpVar<F>>>();
 
+    let claimed_rx_vars = self
+      .claimed_rx
+      .iter()
+      .map(|r| FpVar::<F>::new_variable(cs.clone(), || Ok(r), AllocationMode::Input).unwrap())
+      .collect::<Vec<FpVar<F>>>();
+
     let claimed_ry_vars = self
       .claimed_ry
       .iter()
@@ -304,6 +312,13 @@ impl<F: PrimeField> ConstraintSynthesizer<F> for R1CSVerificationCircuit<F> {
         .sc_phase1
         .verifiy_sumcheck(&poly_sc1_vars, &claim_phase1_var, &mut transcript_var)?;
 
+    // The prover sends (rx, ry) to the verifier for the evaluation proof so
+    // the constraints need to ensure it is indeed the result from the first
+    // round of sumcheck verification.
+    for (i, r) in claimed_rx_vars.iter().enumerate() {
+      rx_var[i].enforce_equal(r)?;
+    }
+
     let (Az_claim, Bz_claim, Cz_claim, prod_Az_Bz_claims) = &self.claims_phase2;
 
     let Az_claim_var = FpVar::<F>::new_witness(cs.clone(), || Ok(Az_claim))?;
@@ -344,6 +359,7 @@ impl<F: PrimeField> ConstraintSynthesizer<F> for R1CSVerificationCircuit<F> {
     //  claimed point, coming from the prover, is actually the point derived
     //  inside the circuit. These additional checks will be removed
     //  when the commitment verification is done inside the circuit.
+    //  Moreover, (rx, ry) will be used in the evaluation proof.
     for (i, r) in claimed_ry_vars.iter().enumerate() {
       ry_var[i].enforce_equal(r)?;
     }
@@ -401,6 +417,7 @@ pub struct VerifierConfig<E: Pairing> {
   pub eval_vars_at_ry: E::ScalarField,
   pub polys_sc1: Vec<UniPoly<E::ScalarField>>,
   pub polys_sc2: Vec<UniPoly<E::ScalarField>>,
+  pub rx: Vec<E::ScalarField>,
   pub ry: Vec<E::ScalarField>,
   pub transcript_sat_state: E::ScalarField,
 }

src/dense_mlpoly.rs

@@ -185,12 +185,14 @@ impl<E: Pairing> PolyCommitmentGens<E> {
   pub fn setup(num_vars: usize, label: &'static [u8]) -> PolyCommitmentGens<E> {
     let (_left, right) = EqPolynomial::<E::ScalarField>::compute_factored_lens(num_vars);
     let gens = DotProductProofGens::new(right.pow2(), label);
-
+    let odd = if num_vars % 2 == 1 { 1 } else { 0 };
     // Generates the SRS and trims it based on the number of variables in the
     // multilinear polynomial.
+    // If num_vars is odd, a crs of size num_vars/2 + 1 will be needed for the
+    // polynomial commitment.
     let mut rng = ark_std::test_rng();
-    let pst_gens = MultilinearPC::<E>::setup(num_vars / 2, &mut rng);
-    let (ck, vk) = MultilinearPC::<E>::trim(&pst_gens, num_vars / 2);
+    let pst_gens = MultilinearPC::<E>::setup(num_vars / 2 + odd, &mut rng);
+    let (ck, vk) = MultilinearPC::<E>::trim(&pst_gens, num_vars / 2 + odd);
 
     PolyCommitmentGens { gens, ck, vk }
   }

src/mipp.rs

@@ -304,7 +304,7 @@ impl<E: Pairing> MippProof<E> {
 
     let check_u = ref_final_res.uc == final_u;
     assert!(check_u == true);
-    check_h & check_u & check_t
+    check_h & check_u
   }
 }
 

src/r1csproof.rs

@@ -58,7 +58,6 @@ pub struct R1CSVerifierProof<E: Pairing> {
   initial_state: E::ScalarField,
   transcript_sat_state: E::ScalarField,
   eval_vars_at_ry: E::ScalarField,
-  ry: Vec<E::ScalarField>,
   proof_eval_vars_at_ry: Proof<E>,
   t: E::TargetField,
   mipp_proof: MippProof<E>,
@@ -138,6 +137,9 @@ where
       sc_phase2: SumcheckVerificationCircuit {
         polys: uni_polys_round2,
       },
+      claimed_rx: (0..num_cons.log_2())
+        .map(|_i| E::ScalarField::rand(&mut rng))
+        .collect_vec(),
       claimed_ry: (0..num_vars.log_2() + 1)
         .map(|_i| E::ScalarField::rand(&mut rng))
         .collect_vec(),
@@ -407,6 +409,7 @@ where
       eval_vars_at_ry: self.eval_vars_at_ry,
       input_as_sparse_poly,
       comm: self.comm.clone(),
+      rx: self.rx.clone(),
       ry: self.ry.clone(),
       transcript_sat_state: self.transcript_sat_state,
     };
@@ -423,7 +426,6 @@ where
       initial_state: self.initial_state,
       transcript_sat_state: self.transcript_sat_state,
       eval_vars_at_ry: self.eval_vars_at_ry,
-      ry: self.ry.clone(),
       proof_eval_vars_at_ry: self.proof_eval_vars_at_ry.clone(),
       t: self.t,
       mipp_proof: self.mipp_proof.clone(),
@@ -439,15 +441,18 @@ where
   // commitment opening.
   pub fn verify(
     &self,
+    r: (Vec<E::ScalarField>, Vec<E::ScalarField>),
     input: &[E::ScalarField],
     evals: &(E::ScalarField, E::ScalarField, E::ScalarField),
     transcript: &mut PoseidonTranscript<E::ScalarField>,
     gens: &R1CSGens<E>,
   ) -> Result<bool, ProofVerifyError> {
+    let (rx, ry) = &r;
     let (Ar, Br, Cr) = evals;
     let mut pubs = vec![self.initial_state];
     pubs.extend(input.clone());
-    pubs.extend(self.ry.clone());
+    pubs.extend(rx.clone());
+    pubs.extend(ry.clone());
     pubs.extend(vec![
       self.eval_vars_at_ry,
       *Ar,
@@ -466,7 +471,7 @@ where
         transcript,
         &gens.gens_pc.vk,
         &self.comm,
-        &self.ry[1..],
+        &ry[1..],
         self.eval_vars_at_ry,
         &self.proof_eval_vars_at_ry,
         &self.mipp_proof,
@@ -616,7 +621,13 @@ mod tests {
 
     let mut verifier_transcript = PoseidonTranscript::new(&params.clone());
     assert!(verifer_proof
-      .verify(&input, &inst_evals, &mut verifier_transcript, &gens)
+      .verify(
+        (rx, ry),
+        &input,
+        &inst_evals,
+        &mut verifier_transcript,
+        &gens
+      )
       .is_ok());
   }
 }

src/sqrt_pst.rs

@@ -13,40 +13,61 @@ use crate::{
 
 pub struct Polynomial<E: Pairing> {
   m: usize,
+  odd: usize,
   polys: Vec<DensePolynomial<E::ScalarField>>,
   q: Option<DensePolynomial<E::ScalarField>>,
   chis_b: Option<Vec<E::ScalarField>>,
 }
 
 impl<E: Pairing> Polynomial<E> {
   // Given the evaluations over the boolean hypercube of a polynomial p of size
-  // 2*m compute the sqrt-sized polynomials p_i as
+  // n compute the sqrt-sized polynomials p_i as
   // p_i(X) = \sum_{j \in \{0,1\}^m} p(j, i) * chi_j(X)
   // where p(X,Y) = \sum_{i \in \{0,\1}^m}
   //  (\sum_{j \in \{0, 1\}^{m}} p(j, i) * \chi_j(X)) * \chi_i(Y)
-  // TODO: add case when the length of the list is not an even power of 2
+  // and m is n/2.
+  // To handle the case in which m is odd, the number of variables in the
+  // sqrt-sized polynomials will be increased by a factor of 2 (i.e. 2^{m+1})
+  // while the number of polynomials remains the same (i.e. 2^m)
   pub fn from_evaluations(Z: &[E::ScalarField]) -> Self {
     let pl_timer = Timer::new("poly_list_build");
     // check the evaluation list is a power of 2
     debug_assert!(Z.len() & (Z.len() - 1) == 0);
-    let m = Z.len().log_2() / 2;
-    let pow_m = 2_usize.pow(m as u32);
-    let polys: Vec<DensePolynomial<E::ScalarField>> = (0..pow_m)
+
+    let num_vars = Z.len().log_2();
+    let m_col = num_vars / 2;
+    let m_row = if num_vars % 2 == 0 {
+      num_vars / 2
+    } else {
+      num_vars / 2 + 1
+    };
+
+    let pow_m_col = 2_usize.pow(m_col as u32);
+    let pow_m_row = 2_usize.pow(m_row as u32);
+
+    let polys: Vec<DensePolynomial<E::ScalarField>> = (0..pow_m_col)
       .into_par_iter()
       .map(|i| {
-        let z: Vec<E::ScalarField> = (0..pow_m)
+        let z: Vec<E::ScalarField> = (0..pow_m_row)
           .into_par_iter()
           // viewing the list of evaluation as a square matrix
           // we select by row j and column i
-          .map(|j| Z[(j << m) | i])
+          // to handle the odd case, we add another row to the matrix i.e.
+          // we add an extra variable to the polynomials while keeping their
+          // number tje same
+          .map(|j| Z[(j << m_col) | i])
           .collect();
         DensePolynomial::new(z)
       })
       .collect();
-    debug_assert!(polys.len() == pow_m);
+
+    debug_assert!(polys.len() == pow_m_col);
+    debug_assert!(polys[0].len == pow_m_row);
+
     pl_timer.stop();
     Self {
-      m,
+      m: m_col,
+      odd: if num_vars % 2 == 1 { 1 } else { 0 },
       polys,
       q: None,
       chis_b: None,
@@ -56,20 +77,20 @@ impl<E: Pairing> Polynomial<E> {
   // Given point = (\vec{a}, \vec{b}), compute the polynomial q as
   // q(Y) =
   // \sum_{j \in \{0,1\}^m}(\sum_{i \in \{0,1\}^m} p(j,i) * chi_i(b)) * chi_j(Y)
-  // and p(a,b) = q(b) where p is the initial polynomial
+  // and p(a,b) = q(a) where p is the initial polynomial
   fn get_q(&mut self, point: &[E::ScalarField]) {
     let q_timer = Timer::new("build_q");
-    debug_assert!(point.len() == 2 * self.m);
-    let _a = &point[0..self.m];
-    let b = &point[self.m..2 * self.m];
+
+    debug_assert!(point.len() == 2 * self.m + self.odd);
+    let b = &point[self.m + self.odd..];
     let pow_m = 2_usize.pow(self.m as u32);
 
     let chis: Vec<E::ScalarField> = (0..pow_m)
       .into_par_iter()
       .map(|i| Self::get_chi_i(b, i))
       .collect();
 
-    let z_q: Vec<E::ScalarField> = (0..pow_m)
+    let z_q: Vec<E::ScalarField> = (0..(pow_m * 2_usize.pow(self.odd as u32)))
       .into_par_iter()
       .map(|j| (0..pow_m).map(|i| self.polys[i].Z[j] * chis[i]).sum())
       .collect();
@@ -80,10 +101,9 @@ impl<E: Pairing> Polynomial<E> {
   }
 
   // Given point = (\vec{a}, \vec{b}) used to construct q
-  // compute q(b) = p(a,b).
+  // compute q(a) = p(a,b).
   pub fn eval(&mut self, point: &[E::ScalarField]) -> E::ScalarField {
-    let a = &point[0..point.len() / 2];
-    let _b = &point[point.len() / 2..point.len()];
+    let a = &point[0..point.len() / 2 + self.odd];
     if self.q.is_none() {
       self.get_q(point);
     }
@@ -96,9 +116,7 @@ impl<E: Pairing> Polynomial<E> {
 
   pub fn commit(&self, ck: &CommitterKey<E>) -> (Vec<Commitment<E>>, E::TargetField) {
     let timer_commit = Timer::new("sqrt_commit");
-
     let timer_list = Timer::new("comm_list");
-
     // commit to each of the sqrt sized p_i
     let comm_list: Vec<Commitment<E>> = self
       .polys
@@ -107,7 +125,7 @@ impl<E: Pairing> Polynomial<E> {
       .collect();
     timer_list.stop();
 
-    let h_vec = ck.powers_of_h[0].clone();
+    let h_vec = ck.powers_of_h[self.odd].clone();
     assert!(comm_list.len() == h_vec.len());
 
     let ipp_timer = Timer::new("ipp");
@@ -155,8 +173,7 @@ impl<E: Pairing> Polynomial<E> {
     point: &[E::ScalarField],
     t: &E::TargetField,
   ) -> (Commitment<E>, Proof<E>, MippProof<E>) {
-    let m = point.len() / 2;
-    let a = &point[0..m];
+    let a = &point[0..self.m + self.odd];
     if self.q.is_none() {
       self.get_q(point);
     }
@@ -168,7 +185,6 @@ impl<E: Pairing> Polynomial<E> {
     // Compute the PST commitment to q obtained as the inner products of the
     // commitments to the polynomials p_i and chi_i(\vec{b}) for i ranging over
     // the boolean hypercube of size m.
-    let _m = a.len();
     let timer_msm = Timer::new("msm");
     if self.chis_b.is_none() {
       panic!("chis(b) should have been computed for q");
@@ -188,7 +204,7 @@ impl<E: Pairing> Polynomial<E> {
     };
     let comm = MultilinearPC::<E>::commit(ck, &q);
     debug_assert!(c_u == comm.g_product);
-    let h_vec = ck.powers_of_h[0].clone();
+    let h_vec = ck.powers_of_h[self.odd].clone();
 
     // construct MIPP proof that U is the inner product of the vector A
     // and the vector y, where A is the opening vector to T
@@ -224,8 +240,9 @@ impl<E: Pairing> Polynomial<E> {
     T: &E::TargetField,
   ) -> bool {
     let len = point.len();
-    let a = &point[0..len / 2];
-    let b = &point[len / 2..len];
+    let odd = if len % 2 == 1 { 1 } else { 0 };
+    let a = &point[0..len / 2 + odd];
+    let b = &point[len / 2 + odd..len];
 
     let timer_mipp_verify = Timer::new("mipp_verify");
     // verify that U = A^y where A is the opening vector of T
@@ -260,7 +277,7 @@ mod tests {
   #[test]
   fn check_sqrt_poly_eval() {
     let mut rng = ark_std::test_rng();
-    let num_vars = 8;
+    let num_vars = 6;
     let len = 2_usize.pow(num_vars);
     let Z: Vec<F> = (0..len).into_iter().map(|_| F::rand(&mut rng)).collect();
     let r: Vec<F> = (0..num_vars)
@@ -278,18 +295,25 @@ mod tests {
   }
 
   #[test]
-  fn check_new_poly_commit() {
+  fn check_commit() {
+    // check odd case
+    check_sqrt_poly_commit(5);
+
+    // check even case
+    check_sqrt_poly_commit(6);
+  }
+
+  fn check_sqrt_poly_commit(num_vars: u32) {
     let mut rng = ark_std::test_rng();
-    let num_vars = 4;
     let len = 2_usize.pow(num_vars);
     let Z: Vec<F> = (0..len).into_iter().map(|_| F::rand(&mut rng)).collect();
     let r: Vec<F> = (0..num_vars)
       .into_iter()
       .map(|_| F::rand(&mut rng))
       .collect();
 
-    let gens = MultilinearPC::<E>::setup(2, &mut rng);
-    let (ck, vk) = MultilinearPC::<E>::trim(&gens, 2);
+    let gens = MultilinearPC::<E>::setup(3, &mut rng);
+    let (ck, vk) = MultilinearPC::<E>::trim(&gens, 3);
 
     let mut pl = Polynomial::from_evaluations(&Z.clone());