Implement a modularised version of the KZG10 commitment scheme to work with commitments in PLONK

The broken link is coming from the plonk-book. We need investigation into why it won't work.

At the moment it is a blocker so we will ignore the infra-link on the PR's

cc: @CPerezz @mathcrypto @markulf

There are some changes that could be made in order to improve the code of linearisation_poly.rs in terms of readability:

• Clearer variable names: Have more descriptive names instead of potentially ambiguous or confusing names (a, b, c, f_1, etc.)
• Descriptive function names: Try to reflect more accurately the purpose of the functions in its names
• Code comments: Add comments detailing which polynomials/ equations are being constructed and other clarifications when necessary

Commitment Gadget Design

Goal

Make a commitment gadget library based on ark-plonk.

Initial Design

We still need those features:

• A two-to-one hash:

  • candidate 1: Poseidon Hash (Used as Leaf Hash, or arity-2/ arity-4 hash)
  • candidate 2: Reimforcement-Concrete

• Two commitment schemes

  1. take a single scalar as input, output a group element
  2. take a bitarray as input, output a scalar

• Commitment Scheme using API like this (native and constraints)

trait Commitment{
    type Input;      //i.e. bitarray, a single scalar
    type Output;     //i.e. a single scalar, or a group element
    type CommitKey;
    type VerifyKey;
    type Proof;
    type Parameters;
    
    fn setup(...);
    fn commit<R: Rng>(parameters: &Parameters, ck: &CommitKey, input: &Input, rng: &mut R) -> Output;
    fn open(parameters: &Parameters,ck: &CommitKey, input: &Input, output: &Output) -> Proof;
    fn verify(parameters: &Parameters, vk: VerifyKey, input: &Input, output: &Output, proof: &Proof) -> bool;
}

• Choice Merkle Tree Leaf Hash that matches the output of Manta's commitment

trait LeafHash{
    type Input; 
    type Output;
    
    fn setup(...);
    fn evaluate(input: &Input) -> Output;
}

Questions:

• Can we design the trait that fits both native and constraints?

This issue will include the addition of lookups into the code via the plonkup proving system.

Add an extensive documentation in the style of Halo2 Book.
It should contain:

• Theoretical background and explanation of Plonk
• Details of the implementation including: description of the structures and traits, complexitites of the main operations, differences from the original protocol, etc.
• Examples of use

The purpose of the book should be to allow new developers to learn how to use this library in the easiest way possible.

Originally posted by @CPerezz in #61 (comment)

We currently have our VerifierKey being built by small aggregations of each custom-gate component, which "aggregates" it's VerifierKey piece into the general VerifierKey structure.

We should re-think this and implement a better solution, probably based on traits. That helps to reduce code and also to make more clear the codebase.

See: https://github.com/rust-zkp/ark-plonk/blob/master/src/proof_system/widget/mod.rs#L30-L48

At the moment, the amount of challenges on the transcript is not checked. All the transcripts are being generated, however only beta is appended. This does not cause failures as the challenges only need to equal in number and name for the prover & verifier - which they do.

The test should check that the number of challenges matches the spec.

Replace the commitment_scheme module that provides kzg10 commitments with ark_poly_commit to enable the use of other polynomial commitment schemes.

I see the naming convention as follows:

• The methods that have a _gate sufix (add_gate, mul_gate...) do not compute values, they receive as input the relevant wire values and selectors of the gate and check that the equation holds.
  The methods that do not have the _gate sufix (add, mul...) compute the output value w_o and always generate a satisfied constraint.
• The methods with big_ prefix receive a 4th wire, those without the prefix don´t.

I think big_arith and big_arith_gate fit in the same family as poly_gate so we should choose a common name for all of them: poly or arith.

Originally posted by @davidnevadoc in #43 (comment)

We should have some way of hashing circuits/constraint systems/gadgets/etc, and then when they stabilize, create tests to pin each to their exact instantiation to ensure any unintended changes are detectable.

In Halo2 we have a fantastic tool for circuit-debugging purposes. The MockProver. It basically allows to check all the gate-constraints and Lookup errors returning a really accurated description of the error place and the values involved in it.

The idea is to do something similar. Which at the same time, aims to reduce testing-time since it does not actually perform any commitments or requires any setup.

See more details here: https://github.com/zcash/halo2/blob/d111807798d4719df36dc2b05b0104b69efdceb3/halo2_proofs/src/dev.rs#L465

Once #10 is completed, we should think about adding benchmarks and take some numbers to see how the proving and verification processes perform.

And expose the results extracted from Criterion in the README.md

The Plonk protocol provides zero-knowledge by adding random multiples of the vanishing polynomial Z_H (referred as blinder polynomials) to the witness based polynomials: The wire polynomials + permutation polynomial.

We should add these blinders.

I really like the gadget_tester in ark-plonk, which makes writing end-to-end tests much easier, but this gadget is pub(crate) so user cannot access it...

I believe many users will end up writing their own gadgets (for gadgets, I mean any function that includes StandardComposer as a parameter). Can we make the following public:

• gadget_tester
• batch_test!

If there is any reason that prevents doing so, shall we have a good testing framework? Writing end-to-end tests for a gadget from scratch is a bit verbose.

Thanks!

As said by @Pratyush

you don't need to bound by both C: ProjectiveCurve and P: TEParameters; you can access the Edwards curve
corresponding to the parameters by doing TEProjective

(You can still match the fields up by doing E: PairingEngine<Fr = P::ScalarField>

Therefore, we should proceed on that way and save a trait bound in the Composer struct.

A given concrete circuit may only use a subset of the custom-gate functionality available to the proof system. This can be detected whenever some selectors are all zero throughout the circuit. More generally, if a selector is nonzero but constant throughout the circuit, we can also reduce the complexity of the quotient polynomial. This is a step towards the fully customizable system where users can design their own custom gates and the proof system will select the subset of custom gates which are used in any concrete circuit.

The crate is based on the Rust 2015 edition now.

We should aim to be compatible with the newest editions such as 2018 and 2021.
Also, adding lints for them could be really useful.

KZG commitments typically use a monomial basis for its structured reference string (SRS). By switching to a Lagrange basis for the SRS we can avoid computing an iFFT for each commitment.

Monomial basis KZG

For secret scalar s and group generator G we have {G, sG, s^2G, ... , s^nG}

Lagrange basis KZG

For secret scalar s and group generator G we have {L_0(s)G, L_1(s)G, L_2(G), ...., L_{n-1}(s)G} where L_k is the kth Lagrange basis polynomial over the domain H, where H is a multiplicative subgroup generated by w. That is, L_k is the polynomial for which L_k(w^k) = 1 but takes the value 0 on all other powers of w.

If the SRS is in Lagrange form (evaluation form), committing to a polynomial that is also in evaluation form is just a multi-scalar multiplication and an iFFT does not need to be performed. Justin Drake refers to this trick in this ZK Study Club talk: https://www.youtube.com/watch?v=TbNauD5wgXM

Changes to be made in ark-plonk

All commitments would need to be modified so that they no longer perform an iFFT before committing if the SRS is in Lagrange form.

Changes to be made elsewhere

KZG setup and commit functions will need to be changed in ark-poly-commit to support Lagrange form setup and commitment

Possibilities

It may be possible to to convert an SRS that was created in monomial form into one in Lagrange form. This might be a major computation but would only need to be done once per setup.

All variables in the circuit are viewed as the pairing friendly curve scalars regardless of their function (i.e. wire values, coordinates of an embedded curve point or embedded curve scalars).
It is necessary to implement safe transformations between these two types so that the embedded curve scalars can be used in scalar-point multiplications and as variables in the circuit.

With this change, it would be possible to add &str definitions for each gate created which can be used for debugging purposes later on.

The idea is to end up with something much closer and that is better handled in other libs such as Halo2 which looks like:

meta.create_gate("R1CS constraint", |meta| {
             let a = meta.query_advice(a, Rotation::cur());
             let b = meta.query_advice(b, Rotation::cur());
             let c = meta.query_advice(c, Rotation::cur());
             let s = meta.query_selector(s);

             // BUG: Should be a * b - c
             Some(("buggy R1CS", s * (a * b + c)))
         });

Which enables producing better err messages while debugging like:

Err(vec![VerifyFailure::ConstraintNotSatisfied {
constraint: ((0, "R1CS constraint").into(), 0, "buggy R1CS").into(),
location: FailureLocation::InRegion {
region: (0, "Example region").into(),
offset: 0,
},

That overall should help to:

• Gadget composability
• Gadget/circuit debugging (#101 )

@bhgomes, does the benches/plonk.rs compile on your machine?

Originally posted by @LukePearson1 in #49 (comment)

After the merge of #55 the deployment of the Book is not working.
This should be fixed before moving to a workspace

As @markulf pointed out, there are outdated docs in the repo.

The current changes to ark-plonk should better reflect the theory implementation.

This repo is strictly pegged to std dependencies, unlike most other Arkworks repositories. Is anyone working on compiling this in WASM?

The current BLS12-381 import is broken, this is in the examples folder sample circuit.

See: https://docs.rs/ark-serialize/0.3.0/ark_serialize/trait.CanonicalSerialize.html

This should target:

• Proof
• KZGProof
• OpeningKey
• ProverKey
• CommitKey
• VerifierKey
• PublicParameters
• VerifierData

We should do something like:

.ok_or(Error::InvalidEvalDomainSize {
                log_size_of_group: plonk_verifier_key.n.trailing_zeros(),
                adacity: <F as FftField>::FftParams::TWO_ADACITY,
            })?

instead of unwrap() but I'm having some issues implementing this.
I could just remove the parameters from InvalidEvalDomainSize or something quick, or leave it as unwrap and open another issue/PR for this case (since it's rather independent)

Originally posted by @joebebel in #61 (comment)

It has been decided that the license should be change for the direction of the organisation. This will remain MPL.

There should also be some readme changes.

These conversions like the one performed in:
https://github.com/ZK-Garage/plonk/blob/master/plonk-core/src/util.rs#L93 pub fn from_embedded_curve_scalar<F, P>( embedded_scalar: <P as ModelParameters>::ScalarField, ) -> F
https://github.com/ZK-Garage/plonk/blob/master/plonk-core/src/util.rs#L122 pub(crate) fn to_embedded_curve_scalar<F, P>(pfc_scalar: F) -> P::ScalarField

Are never safe unless we have 100% clear that our StandardComposer API previously enforced some constraints(not circuit constraints) that guarantee that we can safely make this conversions.

We should remove the pub visibility and make sure that the invariants are never broken for them.

Add macros to run the tests over several embedded curves and over different paring engines.
The tests should at least run over the following:

• Jubjub
• TE curve over Bls12-377

To make ark-plonk more useful, It would be nice to have a gadget library. (It should be a separate repo for the gadget library in my view).

The gadget library that in our interests include:

• a commitment gadget (should be agnostic to the hash functions or commitment scheme used)
• a ZK-friendly hash gadget, e.g. Pedersen Hash, Poseidon, Reinforcement-Concrete
• a merkle tree gadget

For the commitment gadget, @tsunrise and me has an initial interface design here:

#54

In my view, there might not be a perfect design, we are happy to start the implementation now starting from the commitment gadget. But in high-level, would like to get consensus on the following two things:

• repo organization
• stabilize the ark-plonk interface

Opening this to alert everyone that I am in the process of adapting Manta's poseidon implementation here (Manta-Network/Plonk-Prototype#3) to be ready to enter the plonk-hashing module.

This implementation includes filecoin's optimizations (see here too) as well as further optimizations that @tsunrise added.

I will link this issue to a PR over the coming days.

We want to build custom gates, lookups, etc. by considering each term's contribution to the quotient polynomial (and evaluation polynomials if we have terms that use local wires or "next" wires). These should be constructed symbolically at circuit::compile time.

While working on #59 I noticed about this:
https://github.com/rust-zkp/plonk/blob/7b8298ea16fd4b67220d3ff5c95053e171200e48/src/constraint_system/ecc/curve_addition/variable_base_gate.rs#L144

This basically is assuming a=-1 for all curves when indeed, that might not be true. And we should force the gates to be in respect of P::COEFF_A as they're for P::COEFF_D.

• Based on nightly without overwiriting the toolchain version.
• Not running anything for draft PRs.
• Passing doc tests and maybe clippy also. (We should discuss that one)

In #38 @bhgomes updated the clippy workflow.

The problem is that in GH actions, each step has to contain a run or uses statement. Otherways it translates into a direct CI failure.

That's my bad since I should had realized in the review.

That needs to be fixed by adding back:
uses: actions-rs/cargo@v1

We have left during the refactor several TODO's such as:

• Vanishing polynomial computations which are done "without being explicitly mentioned".
• Lagrange polynomial coefficient computations.
  And a large etc..

Currently this library has only an implementation of PLONK. In the coming weeks, we will be using the core functional to power gadgets as discussed in #54, and a hashing library.
The initial idea was to have these as separate libraries under the organisation. However, given the past difficulty of juggling lots of version updates, I think we should consider placing gadgets and hashing inside this one repo as modules. I see this as a successful approach in many projects.

It may also help with the exposing of witness values inside of variables, such with the mod_arith gadget that would be needed for the implementation of reinforced concrete. However, this warrants more thought wrt the exposing of modules.

WDYT? @bhgomes @lopeetall @CPerezz @noctrlz @tsunrise @julesdesmit @joebebel @EDGDrummond @stechu @iquerejeta @davidnevadoc @drewstone @GhostOfGauss @mathcrypto @markulf

The logic gates are explained with formulas drawn in the comments.
Automatic formatting has shifted this drawings making some of them incomprehensible. Example:

  //                    /                 \          /
  // \  c      - 4 . c  = | a      - 4 . a  | (& OR ^) | b
  // - 4 . b  |   i + 1        i   \  i + 1        i /
  // \  i + 1        i /
  //

Originally:

//                    /                 \          /                 \
//  c      - 4 . c  = | a      - 4 . a  | (& OR ^) | b      - 4 . b  |
//   i + 1        i   \  i + 1        i /          \  i + 1        i /
//

When verifying paths in a Merkle tree it is useful to use a conditional_select together with a bit based on whether a hash refers to the left/right sibling at a given level.  To generate validity proofs of paths I propose a gate is_eq_gate that has two input wires and an output wire whose value is constrained to be 1 if the input wires have equal values and 0 otherwise.  It seems natural for this to be accompanied by is_zero and is_nonzero gates that have a single input wire and an output wire whose value is constrained to be 1 if the input is zero/nonzero and 0 otherwise.

There needs to be a directory which includes the spec of the code, as well as open research items and questions.

Fix bug in TestCircuit implementation:

• Correct selector polynomial for add gate
• Add constraint for add and multiplication gates

We should expose asm and parallel features as well as any other avaliable so that the users are able to choose if they want or not to use them.

• Migrate the circuit module to arkworks backend.
• Migrate the Circuit tests to arkworks.
• Update the README.md example with the new circuit example.

The function add_dummy_constraints uses two arithmetic gates to add witnesses to the circuit. If the circuit itself also uses only arithmetic gates AND the total number of gates is a power of 2, then the circuit is never padded with 0s and the q_arith vector becomes constant which causes an error when committing to q_arith_poly.

Although this is unlikely to happen in a production circuit with many gates it can easily happen in tests of small subcircuits.

Until we implement lookups, all gates (including range, logic, etc.) resolve to arithmetic gates, so it might be tricky to make this work until lookups are enabled and we have a second "elemental" gate. But there may be a way to do it sooner by using an arithmetic selector value > 1.