Fixed d nonsense

rasmus-kirk · Dec 30, 2024 · 9c95267 · 9c95267
1 parent a848887
commit 9c95267
Show file tree

Hide file tree

Showing 4 changed files with 149 additions and 66 deletions.
diff --git a/code/benches/acc.rs b/code/benches/acc.rs
@@ -8,22 +8,24 @@ use halo_accumulation::{
     group::{PallasPoly, PallasScalar},
     pcdl::{self},
 };
-use rand::Rng;
+use rand::{distributions::Uniform, Rng};
 
 //const N: usize = 8192;
 const N: usize = 512;
-const K: usize = 1;
+const K: usize = 10;
 
 fn random_instance<R: Rng>(rng: &mut R, d: usize) -> acc::Instance {
+    let d_prime = rng.sample(&Uniform::new(1, d));
+
     // Commit to a random polynomial
     let w = PallasScalar::rand(rng);
-    let p = PallasPoly::rand(d, rng);
-    let c = pcdl::commit(&p, Some(&w));
+    let p = PallasPoly::rand(d_prime, rng);
+    let c = pcdl::commit(&p, d, Some(&w));
 
     // Generate an evaluation proof
     let z = PallasScalar::rand(rng);
     let v = p.evaluate(&z);
-    let pi = pcdl::open(rng, p, c, &z, Some(&w));
+    let pi = pcdl::open(rng, p, c, d, &z, Some(&w));
 
     acc::Instance::new(c, d, z, v, pi)
 }
@@ -59,15 +61,29 @@ pub fn acc_decider(c: &mut Criterion) {
     c.bench_function("acc_decider", |b| b.iter(|| acc::decider(acc.clone())));
 }
 
-pub fn acc_hamid_fast(c: &mut Criterion) {
+// ----- Comparison Benchmarks ----- //
+
+fn acc_compare_fast_helper(d: usize, qss: &[Vec<Instance>], accs: Vec<Accumulator>) -> Result<()> {
+    let last_acc = accs.last().unwrap().clone();
+
+    for (acc, qs) in accs.into_iter().zip(qss) {
+        acc::verifier(d, qs, acc)?;
+    }
+
+    acc::decider(last_acc)?;
+
+    Ok(())
+}
+
+fn acc_compare_fast(n: usize, k: usize) -> (usize, Vec<Vec<Instance>>, Vec<Accumulator>) {
     let mut rng = test_rng();
-    let d = N - 1;
-    let mut accs = Vec::with_capacity(K);
-    let mut qss = Vec::with_capacity(K);
+    let d = n - 1;
+    let mut accs = Vec::with_capacity(k);
+    let mut qss = Vec::with_capacity(k);
 
     let mut acc: Option<Accumulator> = None;
 
-    for _ in 0..K {
+    for _ in 0..k {
         let q = random_instance(&mut rng, d);
         let qs = if let Some(acc) = acc {
             vec![acc.into(), q]
@@ -80,32 +96,25 @@ pub fn acc_hamid_fast(c: &mut Criterion) {
         accs.push(acc.as_ref().unwrap().clone());
         qss.push(qs);
     }
+    (d, qss, accs)
+}
 
-    fn helper(d: usize, qss: &[Vec<Instance>], accs: Vec<Accumulator>) -> Result<()> {
-        let last_acc = accs.last().unwrap().clone();
-
-        for (acc, qs) in accs.into_iter().zip(qss) {
-            acc::verifier(d, qs, acc)?;
-        }
-
-        acc::decider(last_acc)?;
-
-        Ok(())
+fn acc_compare_slow_helper(accs: Vec<Accumulator>) -> Result<()> {
+    for acc in accs.into_iter() {
+        acc::decider(acc)?;
     }
 
-    c.bench_function("acc_hamid_fast", |b| {
-        b.iter(|| helper(d, &qss, accs.clone()).unwrap())
-    });
+    Ok(())
 }
 
-pub fn acc_hamid_slow(c: &mut Criterion) {
+fn acc_compare_slow(n: usize, k: usize) -> Vec<Accumulator> {
     let mut rng = test_rng();
-    let d = N - 1;
-    let mut accs = Vec::with_capacity(K);
+    let d = n - 1;
+    let mut accs = Vec::with_capacity(k);
 
     let mut acc: Option<Accumulator> = None;
 
-    for _ in 0..K {
+    for _ in 0..k {
         let q = random_instance(&mut rng, d);
         let qs = if let Some(acc) = acc {
             vec![acc.into(), q]
@@ -117,16 +126,75 @@ pub fn acc_hamid_slow(c: &mut Criterion) {
 
         accs.push(acc.as_ref().unwrap().clone());
     }
+    accs
+}
 
-    fn helper(accs: Vec<Accumulator>) -> Result<()> {
-        for acc in accs.into_iter() {
-            acc::decider(acc)?;
-        }
+pub fn acc_cmp_s_512(c: &mut Criterion) {
+    let accs = acc_compare_slow(512, K);
+    c.bench_function("acc_cmp_s_512", |b| {
+        b.iter(|| acc_compare_slow_helper(accs.clone()).unwrap())
+    });
+}
 
-        Ok(())
-    }
+pub fn acc_cmp_f_512(c: &mut Criterion) {
+    let (d, qss, accs) = acc_compare_fast(512, K);
+    c.bench_function("acc_cmp_f_512", |b| {
+        b.iter(|| acc_compare_fast_helper(d, &qss, accs.clone()).unwrap())
+    });
+}
+
+pub fn acc_cmp_s_1024(c: &mut Criterion) {
+    let accs = acc_compare_slow(1024, K);
+    c.bench_function("acc_cmp_s_1024", |b| {
+        b.iter(|| acc_compare_slow_helper(accs.clone()).unwrap())
+    });
+}
+
+pub fn acc_cmp_f_1024(c: &mut Criterion) {
+    let (d, qss, accs) = acc_compare_fast(1024, K);
+    c.bench_function("acc_cmp_f_1024", |b| {
+        b.iter(|| acc_compare_fast_helper(d, &qss, accs.clone()).unwrap())
+    });
+}
+
+pub fn acc_cmp_s_2048(c: &mut Criterion) {
+    let accs = acc_compare_slow(2048, K);
+    c.bench_function("acc_cmp_s_2048", |b| {
+        b.iter(|| acc_compare_slow_helper(accs.clone()).unwrap())
+    });
+}
+
+pub fn acc_cmp_f_2048(c: &mut Criterion) {
+    let (d, qss, accs) = acc_compare_fast(2048, K);
+    c.bench_function("acc_cmp_f_2048", |b| {
+        b.iter(|| acc_compare_fast_helper(d, &qss, accs.clone()).unwrap())
+    });
+}
+
+pub fn acc_cmp_s_4096(c: &mut Criterion) {
+    let accs = acc_compare_slow(4096, K);
+    c.bench_function("acc_cmp_s_4096", |b| {
+        b.iter(|| acc_compare_slow_helper(accs.clone()).unwrap())
+    });
+}
+
+pub fn acc_cmp_f_4096(c: &mut Criterion) {
+    let (d, qss, accs) = acc_compare_fast(4096, K);
+    c.bench_function("acc_cmp_f_4096", |b| {
+        b.iter(|| acc_compare_fast_helper(d, &qss, accs.clone()).unwrap())
+    });
+}
+
+pub fn acc_cmp_s_8196(c: &mut Criterion) {
+    let accs = acc_compare_slow(8196, K);
+    c.bench_function("acc_cmp_s_8196", |b| {
+        b.iter(|| acc_compare_slow_helper(accs.clone()).unwrap())
+    });
+}
 
-    c.bench_function("acc_hamid_slow", |b| {
-        b.iter(|| helper(accs.clone()).unwrap())
+pub fn acc_cmp_f_8196(c: &mut Criterion) {
+    let (d, qss, accs) = acc_compare_fast(8196, K);
+    c.bench_function("acc_cmp_f_8196", |b| {
+        b.iter(|| acc_compare_fast_helper(d, &qss, accs.clone()).unwrap())
     });
 }
diff --git a/code/benches/bench.rs b/code/benches/bench.rs
@@ -27,8 +27,16 @@ criterion_group! {
         acc_prover,
         acc_verifier,
         acc_decider,
-        acc_hamid_slow,
-        acc_hamid_fast,
+        acc_cmp_s_512,
+        acc_cmp_s_1024,
+        acc_cmp_s_2048,
+        acc_cmp_s_4096,
+        acc_cmp_s_8196,
+        acc_cmp_f_512,
+        acc_cmp_f_1024,
+        acc_cmp_f_2048,
+        acc_cmp_f_4096,
+        acc_cmp_f_8196,
 }
 
 criterion_main!(acc, h);
diff --git a/code/src/acc.rs b/code/src/acc.rs
@@ -150,7 +150,7 @@ fn common_subroutine(
 
     // (3). Check that U_0 is a deterministic commitment to h_0: U_0 = PCDL.Commit_ρ0(ck^(1)_PC, h; ω = ⊥).
     ensure!(
-        *U_0 == pcdl::commit(h_0, None),
+        *U_0 == pcdl::commit(h_0, d, None),
         "U_0 ≠ PCDL.Commit_ρ0(ck^(1)_PC, h_0; ω = ⊥)"
     );
 
@@ -192,7 +192,7 @@ pub fn prover<R: Rng>(rng: &mut R, d: usize, qs: &[Instance]) -> Result<Accumula
     let h_0 = PallasPoly::rand(1, rng);
 
     // 2. Then compute a deterministic commitment to h_0: U_0 := PCDL.Commit_ρ0(ck_PC, h_0, d; ω = ⊥).
-    let U_0 = pcdl::commit(&h_0, None);
+    let U_0 = pcdl::commit(&h_0, d, None);
 
     // 3. Sample commitment randomness ω ∈ Fq, and set π_V := (h_0, U_0, ω).
     let w = PallasScalar::rand(rng);
@@ -206,7 +206,7 @@ pub fn prover<R: Rng>(rng: &mut R, d: usize, qs: &[Instance]) -> Result<Accumula
 
     // 6. Generate the hiding evaluation proof π := PCDL.Open_ρ0(ck_PC, h(X), C_bar, d, z; ω).
     //let pi = pcdl::open(rng, h, C_bar, d, &z, Some(&w));
-    let pi = pcdl::open(rng, h.get_poly(), C_bar, &z, Some(&w));
+    let pi = pcdl::open(rng, h.get_poly(), C_bar, d, &z, Some(&w));
 
     // 7. Finally, output the accumulator acc = ((C_bar, d, z, v), π) and the accumulation proof π_V.
     Ok(Accumulator {
@@ -262,15 +262,17 @@ mod tests {
     use super::*;
 
     fn random_instance<R: Rng>(rng: &mut R, d: usize) -> Instance {
+        let d_prime = rng.sample(&Uniform::new(1, d));
+
         // Commit to a random polynomial
         let w = PallasScalar::rand(rng);
-        let p = PallasPoly::rand(d, rng);
-        let C = pcdl::commit(&p, Some(&w));
+        let p = PallasPoly::rand(d_prime, rng);
+        let C = pcdl::commit(&p, d, Some(&w));
 
         // Generate an evaluation proof
         let z = PallasScalar::rand(rng);
         let v = p.evaluate(&z);
-        let pi = pcdl::open(rng, p, C, &z, Some(&w));
+        let pi = pcdl::open(rng, p, C, d, &z, Some(&w));
 
         Instance { C, d, z, v, pi }
     }

diff --git a/code/src/pcdl.rs b/code/src/pcdl.rs
@@ -41,16 +41,6 @@ impl<T> VecPushOwn<T> for Vec<T> {
     }
 }
 
-pub fn commit(p: &PallasPoly, w: Option<&PallasScalar>) -> PallasPoint {
-    let d = p.degree();
-    let n = d + 1;
-
-    assert!(n.is_power_of_two());
-    assert!(d <= D);
-
-    pedersen::commit(w, &GS[0..n], &p.coeffs)
-}
-
 #[derive(Clone, CanonicalSerialize)]
 pub struct HPoly {
     pub(crate) xis: Vec<PallasScalar>,
@@ -101,6 +91,19 @@ impl HPoly {
     }
 }
 
+pub fn commit(p: &PallasPoly, d: usize, w: Option<&PallasScalar>) -> PallasPoint {
+    let n = d + 1;
+
+    assert!(n.is_power_of_two());
+    assert!(p.degree() <= d);
+    assert!(d <= D);
+
+    let mut coeffs = p.coeffs.clone();
+    coeffs.resize(n, PallasScalar::ZERO);
+
+    pedersen::commit(w, &GS[0..n], &coeffs)
+}
+
 /// rng: Required since the function uses randomness
 /// p: A univariate polynomial p(X)
 /// C: A commitment to p,
@@ -110,13 +113,14 @@ pub fn open<R: Rng>(
     rng: &mut R,
     p: PallasPoly,
     C: PallasPoint,
+    d: usize,
     z: &PallasScalar,
     w: Option<&PallasScalar>,
 ) -> EvalProof {
-    let d = p.degree();
     let n = d + 1;
     let lg_n = n.ilog2() as usize;
     assert!(n.is_power_of_two());
+    assert!(p.degree() <= d);
     assert!(d <= D);
 
     // 1. Compute the evaluation v := p(z) ∈ Fq.
@@ -126,7 +130,7 @@ pub fn open<R: Rng>(
         // (2). Sample a random polynomial p_bar ∈ F^(≤d)_q[X] such that p_bar(z) = 0.
         // p_bar(X) = (X - z) * q(X), where q(X) is a uniform random polynomial
         let z_poly = PallasPoly::from_coefficients_vec(vec![-*z, PallasScalar::ONE]);
-        let q = PallasPoly::rand(d - 1, rng);
+        let q = PallasPoly::rand(p.degree() - 1, rng);
         let p_bar = q * z_poly;
         assert_eq!(p_bar.evaluate(z), PallasScalar::ZERO);
         assert_eq!(p_bar.degree(), p.degree());
@@ -135,7 +139,7 @@ pub fn open<R: Rng>(
         let w_bar = PallasScalar::rand(rng);
 
         // (4). Compute a hiding commitment to p_bar: C_bar ← CM.Commit^(ρ0)(ck, p_bar; ω_bar) ∈ G.
-        let C_bar = commit(&p_bar, Some(&w_bar));
+        let C_bar = commit(&p_bar, d, Some(&w_bar));
 
         // (5). Compute the challenge α := ρ(C, z, v, C_bar) ∈ F^∗_q.
         let a = rho_0![C, z, v, C_bar];
@@ -169,6 +173,7 @@ pub fn open<R: Rng>(
     let H_prime = H * xi_i;
 
     let mut cs = p_prime.coeffs;
+    cs.resize(n, PallasScalar::ZERO);
     let mut gs: Vec<PallasPoint> = GS[0..n].iter().map(|x| PallasPoint::from(*x)).collect();
     let mut zs = construct_powers(z, n);
 
@@ -412,19 +417,19 @@ mod tests {
     #[test]
     fn test_check() -> Result<()> {
         let mut rng = rand::thread_rng();
-        let n_range = Uniform::new(2, 10);
-        let n = (2 as usize).pow(rng.sample(&n_range));
+        let n = (2 as usize).pow(rng.sample(&Uniform::new(2, 10)));
         let d = n - 1;
+        let d_prime = rng.sample(&Uniform::new(1, d));
 
         // Commit to a random polynomial
         let w = PallasScalar::rand(&mut rng);
-        let p = PallasPoly::rand(d, &mut rng);
-        let C = commit(&p, Some(&w));
+        let p = PallasPoly::rand(d_prime, &mut rng);
+        let C = commit(&p, d, Some(&w));
 
         // Generate an evaluation proof
         let z = PallasScalar::rand(&mut rng);
         let v = p.evaluate(&z);
-        let pi = open(&mut rng, p, C, &z, Some(&w));
+        let pi = open(&mut rng, p, C, d, &z, Some(&w));
 
         // Verify that check works
         check(&C, d, &z, &v, pi)?;
@@ -435,18 +440,18 @@ mod tests {
     #[test]
     fn test_check_no_hiding() -> Result<()> {
         let mut rng = rand::thread_rng();
-        let n_range = Uniform::new(2, 10);
-        let n = (2 as usize).pow(rng.sample(&n_range));
+        let n = (2 as usize).pow(rng.sample(&Uniform::new(2, 10)));
         let d = n - 1;
+        let d_prime = rng.sample(&Uniform::new(1, d));
 
         // Commit to a random polynomial
-        let p = PallasPoly::rand(d, &mut rng);
-        let C = commit(&p, None);
+        let p = PallasPoly::rand(d_prime, &mut rng);
+        let C = commit(&p, d, None);
 
         // Generate an evaluation proof
         let z = PallasScalar::rand(&mut rng);
         let v = p.evaluate(&z);
-        let pi = open(&mut rng, p, C, &z, None);
+        let pi = open(&mut rng, p, C, d, &z, None);
 
         // Verify that check works
         check(&C, d, &z, &v, pi)?;