CCS implementation #52
Conversation
|
@sjudson do you want to push lccs implementation to this branch? Alternatively, we can merge it in this state. What's the 2nd step in PR description about implementing CCCS? I believe it's already there nexus-zkvm/supernova/src/ccs/mod.rs Lines 177 to 182 in 3873380 (Regarding additional C in the type name: similar to R1CSInstance which is in fact committed and we just imply this without naming it CR1CSInstance. Note that spartan code on the other hand calls it CR1CS, but we could try to be consistent at least within the supernova crate)
|
There was a problem hiding this comment.
good work! my only comments that affect correctness/performance are a) swapping i and j in the matrix_to_mle function, and b) avoiding using mle_to_mvp, working with eval vectors rather than coefficient vectors everywhere. the rest are suggestions, and more or less a matter of taste.
sjudson
force-pushed
the
ccs
branch
3 times, most recently
from
e54242f to
64ba2cd
Compare
Co-authored-by: Dan Dore <dorebell@gmail.com>
This reverts commit 3463e43.
|
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
|
|
||
| impl<G: CurveGroup> CCSShape<G> { | ||
| /// Checks if the CCS instance together with the witness `W` satisfies the CCS constraints determined by `shape`. | ||
| pub fn is_satisfied<C: PolyCommitmentScheme<G>>( |
There was a problem hiding this comment.
When we implement CycleFold, we'll also need to consider CCS instances over the secondary field. The commitments for these will just be Pedersen commitments, not coming from a polynomial commitment scheme. (KZG-style commitments won't exist for the secondary curve, because it doesn't support pairings). On the other hand, it is indeed important - for compression - that the commitment scheme for the primary curve does come from a PCS. In the nova repo, we define everything in terms of vector commitment schemes, and then to create the "compressible" version, we coerce the PCS for the primary field into a vector commitment scheme. Another approach would be to just define separate types, e.g. CCSInstanceSecondary<G: CurveGroup, C: CommitmentScheme<G>> - it's a bit redundant, but maybe cleaner.
| /// Multisets of selector indices, each paired with a constant multiplier. | ||
| pub cSs: Vec<(G::ScalarField, Vec<usize>)>, | ||
| } | ||
|
|
There was a problem hiding this comment.
Putting the other type definitions (CCSInstance etc.) above the impls might improve readability.
This comment was marked as duplicate.
This comment was marked as duplicate.
Sorry, something went wrong.
There was a problem hiding this comment.
iandjshould be swapped here: later, we will callfix_variablesto get
the combination of the rows ofM, it will bind thelog_mlowest-order
bits.
I don't think this function is needed anymore. spartan uses a different method of turning sparse matrices into polynomials that's specialized for its "computational commitments". ;
|
|
||
| let z = [U.X.as_slice(), W.W.as_slice()].concat(); | ||
| let Mzs: Vec<G::ScalarField> = ark_std::cfg_iter!(&self.Ms) | ||
| .map(|M| vec_to_mle(M.multiply_vec(&z).as_slice()).evaluate::<G>(U.rs.as_slice())) |
There was a problem hiding this comment.
To ensure endianness compatibility with sumcheck, we need to ensure that the polynomial P(v): DenseMultilinearExtension that we pass to ark-ml-sumcheck later on satisfies P(v).evaluate(r) == vec_to_mle(v).evaluate(r). The evaluate() function for DenseMultilinearExtension is little-endian, i.e. the first variable is encoded by the least significant bit of the index. That's the opposite of how evaluate() works on spartan's DensePolynomial, so we either need P(v) = DenseMultilinearExtension::from_coefficients_vec(v.rev_bits()) xor we need vec_to_mle(v) = DensePolynomial::new(v.rev_bits()). Since both of these maps use clones anyway, it shouldn't be more expensive to reverse the bits.
* Initial CCS implementation. * Remove direct construction interfaces so that everything goes through R1CS. * Trim more, Fold multipliers together, and inline satisfaction checking. * Fix formatting. * Precompute products. * Remove direct CCS construction. * Add mle helpers. * Start to integrate polynomial commitments. * Shading closer to polynomial commitments. * Initial stab at relating various polynomial types and traits. * Finish utility functions. * Fix endianness and ranges and get tests passing. * Fix formatting. * Realized there's a better way to invoke the partially fixed polynomial. * Update interfaces and some additional reworking. * Resolve clippy. * Unify shapes. * Product renaming Co-authored-by: Dan Dore <dorebell@gmail.com> * Revert "Unify shapes." This reverts commit 3463e43. * Move to polynomial/poly commitment implementations from Spartan repo. * Move to unified matrix-based model. * Fix tests. * Fix fmt. * Remove files accidently restored during rebase. * Move to using polynomial commitment exlcusively. * Fix formatting. --------- Co-authored-by: Dan Dore <dorebell@gmail.com>
* add basic setup flow using SRS * merge with main * some small fixes to bugs in the compression module from recent PRs * spartan integration fixes * tests for srs generation * sets default srs size to 19 * use `deserialize_compressed_unchecked` * remove unnecessary blinding factor from SRS generation * fix * adds SRS to git lfs * add git lfs to CI workflow * sample test srs in CI * install nexus-tools in CI * ignore tests related to large SRS * remove SRS generation from CI * merge fixes * fmt * fixes from review * small fix * remove file-manipulating tests * Adds a cli option to the prover crate for compression (#55) * testing proof deserialization * proofs save and verify * removed cargo.lock * todo: merge dorebell onto this * fixed merge mistakes * reads proof and compresses. key not yet saved to file * added back cargo.lock * moved the compression cli into prover crate * formatting * remove whitespace * added com option to prove * updated local prove * todo:save key and proof to file * derive CanonicalSerialize+CanonicalDeserialize for Spartan types * add options to save and load spartan key from file * save compressed proof to file, implement arkworks serialization * clippy * remove SRS generation from CI * ignore spartan_encode_test * integrate compression cli with recent version of nexus-tools * add cli function to sample test SRS * forgot to add new files * small compression UI fixes * add spartan setup command to main 'cargo nexus' * bump number of SRS vars to 27 * minor fix * review fixes * another round of review fixes * read pp and srs from default cache locations if unspecified during compression * add helper function to get minimum srs size for a given k --------- Co-authored-by: Dan Dore <dorebell@gmail.com> * fix broken edit links in docs (#99) * CCS implementation (#52) * Initial CCS implementation. * Remove direct construction interfaces so that everything goes through R1CS. * Trim more, Fold multipliers together, and inline satisfaction checking. * Fix formatting. * Precompute products. * Remove direct CCS construction. * Add mle helpers. * Start to integrate polynomial commitments. * Shading closer to polynomial commitments. * Initial stab at relating various polynomial types and traits. * Finish utility functions. * Fix endianness and ranges and get tests passing. * Fix formatting. * Realized there's a better way to invoke the partially fixed polynomial. * Update interfaces and some additional reworking. * Resolve clippy. * Unify shapes. * Product renaming Co-authored-by: Dan Dore <dorebell@gmail.com> * Revert "Unify shapes." This reverts commit 3463e43. * Move to polynomial/poly commitment implementations from Spartan repo. * Move to unified matrix-based model. * Fix tests. * Fix fmt. * Remove files accidently restored during rebase. * Move to using polynomial commitment exlcusively. * Fix formatting. --------- Co-authored-by: Dan Dore <dorebell@gmail.com> * All Contributors Setup (#120) * Update README.md * Update README.md * Create .all-contributorsrc * docs: add nexus-xyz as a contributor for code (#121) * docs: update README.md * docs: update .all-contributorsrc --------- Co-authored-by: allcontributors[bot] <46447321+allcontributors[bot]@users.noreply.github.com> * Switch Contributors (#122) * Delete .all-contributorsrc * Update README.md * fix merge conflicts --------- Co-authored-by: Guru Vamsi Policharla <guruvamsi.policharla@gmail.com> Co-authored-by: Daniel Marin <60114322+danielmarinq@users.noreply.github.com> Co-authored-by: Samuel Judson <sam@sjudson.com> Co-authored-by: allcontributors[bot] <46447321+allcontributors[bot]@users.noreply.github.com>
* Add Design Doc * Add Initial Type Specification * Sam Comments * Updates for Final Sam Comments
* Add Design Doc * Add Initial Type Specification * Sam Comments * Updates for Final Sam Comments
This PR implements the Customizable Constraint System (CCS) independently of the R1CS implementation, up to extracting the sparse matrix implementation so both can use it, and support for an R1CS -> CCS conversion:
Todo: