zinc_piop/

random_field_sumcheck.rs

//! Sumcheck protocol that operates over a random field.

#[cfg(feature = "parallel")]
use rayon::prelude::*;
use std::marker::PhantomData;

use crypto_primitives::{ConstIntSemiring, FromPrimitiveWithConfig, PrimeField, Semiring};
use thiserror::Error;
use zinc_poly::mle::{DenseMultilinearExtension, dense::project_coeffs};
use zinc_transcript::traits::{ConstTranscribable, Transcript};
use zinc_utils::{
    cfg_into_iter, from_ref::FromRef, inner_transparent_field::InnerTransparentField,
    projectable_to_field::ProjectableToField,
};

use crate::sumcheck::{
    MLSumcheck, SumCheckError, SumcheckProof, prover::ProverState, verifier::Subclaim,
};

pub struct RFSumcheck<F, R>(PhantomData<(F, R)>);

#[derive(Clone, Debug, PartialEq)]
pub struct RFSumcheckProof<F: PrimeField, R>(pub SumcheckProof<F>, PhantomData<R>);

impl<F: PrimeField, R> RFSumcheckProof<F, R> {
    pub fn new(inner: SumcheckProof<F>) -> Self {
        Self(inner, Default::default())
    }
}

pub struct RFProverState<F: PrimeField, R>(pub ProverState<F>, PhantomData<R>);

impl<F: PrimeField, R> RFProverState<F, R> {
    pub fn new(sumcheck_prover_state: ProverState<F>) -> Self {
        Self(sumcheck_prover_state, Default::default())
    }
}

impl<F: FromPrimitiveWithConfig, R: Semiring + ProjectableToField<F>> RFSumcheck<F, R> {
    /// Random field sumcheck prover.
    /// Samples a random field element, projects the input MLEs
    /// and performs the sumcheck proving algorithm.
    ///
    /// # Arguments
    ///
    /// * `transcript`: A mutable reference to a Fiat-Shamir `Transcript`.
    /// * `mles`: A `Vec` of dense multilinear extension over the input semiring
    ///   `R`. These will be projected by the prover.
    /// * `mles_f`: A `Vec` of dense multilinear extension over the random
    ///   field. E.g. `eq_r` can go into this argument. These will not be
    ///   projected by the prover.
    /// * `nvars`: The number of variables over which the `mles` are defined.
    ///   This must be consistent across all `mles`.
    /// * `degree`: The maximum combined degree of the `mles` under the
    ///   `comb_fn`.
    /// * `comb_fn`: A closure that defines the combination function $G(\alpha,
    ///   \text{mles}(x))$. It takes the projecting element $\alpha$ the prover
    ///   has sampled and a slice of field elements (the evaluations of the
    ///   `mles` at a point $x$) and returns a single field element. The element
    ///   $\alpha$ might be used to project some parts of the sumcheck
    ///   polynomial, e.g. if a constraint systems requires projecting too.
    /// * `config`: The configuration for the underlying field used in the
    ///   protocol. The protocol does not sample the random prime and assumes it
    ///   comes in this argument.
    pub fn prove_as_subprotocol(
        transcript: &mut impl Transcript,
        mles: Vec<DenseMultilinearExtension<R>>,
        mles_f: Vec<DenseMultilinearExtension<F::Inner>>,
        nvars: usize,
        degree: usize,
        comb_fn: impl Fn(&F, &[F]) -> F + Send + Sync,
        field_cfg: &F::Config,
    ) -> (RFSumcheckProof<F, R>, RFProverState<F, R>)
    where
        F: InnerTransparentField,
        F::Inner: ConstTranscribable + ConstIntSemiring + FromRef<F::Inner>,
        F::Modulus: ConstTranscribable,
    {
        let projecting_element: F = transcript.get_field_challenge(field_cfg);

        let field_mles = cfg_into_iter!(mles)
            .map(|mle| project_coeffs(mle, &projecting_element))
            .chain(mles_f)
            .collect();

        let (proof, state) = MLSumcheck::prove_as_subprotocol(
            transcript,
            field_mles,
            nvars,
            degree,
            |x| comb_fn(&projecting_element, x),
            field_cfg,
        );

        (RFSumcheckProof::new(proof), RFProverState::new(state))
    }

    /// The verifier part of the random field sumcheck protocol.
    /// # Arguments
    ///
    /// * `transcript`: A mutable reference to a Fiat-Shamir `Transcript`.
    /// * `num_vars`: The number of variables over which the sum was originally
    ///   computed.
    /// * `degree`: The maximum combined degree of the underlying polynomial
    ///   $G(x)$. This must match the degree used by the Prover.
    /// * `claimed_sum`: The initial claimed value of the sum.
    /// * `proof`: A reference to the `SumcheckProof<F>` generated by the
    ///   Prover.
    /// * `config`: The configuration for the underlying field used in the
    ///   protocol.
    pub fn verify_as_subprotocol(
        transcript: &mut impl Transcript,
        num_vars: usize,
        degree: usize,
        proof: &RFSumcheckProof<F, R>,
        field_cfg: F::Config,
    ) -> Result<Subclaim<F>, RFSumcheckError<F>>
    where
        F::Inner: ConstTranscribable + ConstIntSemiring,
        F::Modulus: ConstTranscribable,
    {
        // Simulate getting the projecting element
        // Verifier does not use that element as it verifies only over RC,
        // but we keep it here for stability of FS sampling.
        let _ = transcript.get_field_challenge::<F>(&field_cfg);

        let subclaim =
            MLSumcheck::verify_as_subprotocol(transcript, num_vars, degree, &proof.0, &field_cfg)?;

        Ok(subclaim)
    }
}

#[derive(Error, Debug)]
pub enum RFSumcheckError<F: PrimeField> {
    #[error("underlying sumcheck error: {0}")]
    SumCheckError(SumCheckError<F>),
}

impl<F: PrimeField> From<SumCheckError<F>> for RFSumcheckError<F> {
    fn from(value: SumCheckError<F>) -> Self {
        Self::SumCheckError(value)
    }
}

#[cfg(test)]
mod tests {
    use crypto_primitives::{Field, FromWithConfig, crypto_bigint_monty::MontyField};
    use num_traits::Zero;
    use rand::{Rng, rng};
    use zinc_poly::{
        mle::DenseMultilinearExtension, univariate::binary::BinaryPoly, utils::build_eq_x_r_inner,
    };
    use zinc_primality::MillerRabin;
    use zinc_transcript::{Blake3Transcript, traits::Transcript};

    use crate::random_field_sumcheck::RFSumcheck;

    const LIMBS: usize = 4;

    type F = MontyField<LIMBS>;

    #[test]
    fn test_simple_product_random_field_sumcheck() {
        let witness_size = 1 << 3;
        let mut rng = rng();
        let a: Vec<u32> = (0..witness_size).map(|_| rng.random()).collect();
        let b: Vec<u32> = (0..witness_size).map(|_| rng.random()).collect();
        let c: Vec<u32> = (0..witness_size).map(|_| rng.random()).collect();

        let nvars = zinc_utils::log2(witness_size) as usize;

        let a: DenseMultilinearExtension<BinaryPoly<32>> =
            DenseMultilinearExtension::from_evaluations_vec(
                nvars,
                a.into_iter().map(BinaryPoly::from).collect(),
                BinaryPoly::zero(),
            );

        let b: DenseMultilinearExtension<BinaryPoly<32>> =
            DenseMultilinearExtension::from_evaluations_vec(
                nvars,
                b.into_iter().map(BinaryPoly::from).collect(),
                BinaryPoly::zero(),
            );

        let c: DenseMultilinearExtension<BinaryPoly<32>> =
            DenseMultilinearExtension::from_evaluations_vec(
                nvars,
                c.into_iter().map(BinaryPoly::from).collect(),
                BinaryPoly::zero(),
            );

        let mut transcript = Blake3Transcript::new();

        let field_cfg = transcript.get_random_field_cfg::<F, <F as Field>::Inner, MillerRabin>();

        let eq_r = build_eq_x_r_inner(&vec![F::from_with_cfg(2u32, &field_cfg); nvars], &field_cfg)
            .expect("Failed to build eq_r");

        let proof = (RFSumcheck::<F, _>::prove_as_subprotocol(
            &mut transcript.clone(),
            vec![a, b, c],
            vec![eq_r],
            nvars,
            3,
            |_x, vals| (&vals[0] * &vals[1] - &vals[2]) * &vals[3],
            &field_cfg,
        ))
        .0;

        assert!(
            RFSumcheck::<F, _>::verify_as_subprotocol(
                &mut transcript,
                nvars,
                3,
                &proof,
                field_cfg,
            )
            .is_ok()
        )
    }
}