Merge pull request #109 from dalek-cryptography/circuit

Circuit work tracker [WIP]

Author: hdevalence

.travis.yml

@@ -6,10 +6,10 @@ rust:
 
 env:
   - TEST_COMMAND=test EXTRA_FLAGS='' FEATURES=''
-  - TEST_COMMAND=test EXTRA_FLAGS='' FEATURES='avx2_backend'
+  - TEST_COMMAND=test EXTRA_FLAGS='' FEATURES='yoloproofs'
   # run cargo bench with a filter that matches no benchmarks.
   # this ensures the benchmarks build but doesn't run them on the CI server.
-  - TEST_COMMAND=bench EXTRA_FLAGS='"DONTRUNBENCHMARKS"' FEATURES='avx2_backend'
+  - TEST_COMMAND=bench EXTRA_FLAGS='"DONTRUNBENCHMARKS"' FEATURES=''
 
 before_script:
   - rustup component add rustfmt-preview

Cargo.toml

@@ -31,8 +31,12 @@ bincode = "1"
 
 [features]
 avx2_backend = ["curve25519-dalek/avx2_backend"]
+yoloproofs = []
 
 [[bench]]
-name = "bulletproofs"
+name = "range_proof"
 harness = false
 
+#[[bench]]
+#name = "r1cs"
+#harness = false

README.md

@@ -28,9 +28,9 @@ This library provides implementations of:
 
 * A programmable constraint system API for expressing rank-1
   constraint systems, and proving and verifying proofs of arbitrary
-  statements (under development in the `circuit` branch);
+  statements (unstable, under development with the `yoloproofs` feature);
 
-* Online multi-party computation for aggregated circuit proofs
+* Online multi-party computation for aggregated constraint system proofs
   (planned future work).
 
 These proofs are implemented using [Merlin transcripts][doc_merlin],
@@ -48,9 +48,9 @@ the library's [internal documentation][doc_internal]:
 * how [the range proof protocol works][rp_notes];
 * how [the inner product proof protocol works][ipp_notes];
 * how [the aggregation protocol works][agg_notes];
-* how the Bulletproof circuit proofs work (under development);
+* how the Bulletproof constraint system proofs work (under development);
 * how the constraint system reduction works (under development);
-* how the aggregated circuit proofs work (future work).
+* how the aggregated constraint system proofs work (future work).
 
 ## Comparative Performance
 

benches/r1cs.rs

@@ -0,0 +1,286 @@
+extern crate bulletproofs;
+use bulletproofs::r1cs::{ConstraintSystem, ProverCS, R1CSError, R1CSProof, Variable, VerifierCS};
+use bulletproofs::{BulletproofGens, PedersenGens};
+
+#[macro_use]
+extern crate criterion;
+use criterion::Criterion;
+
+extern crate curve25519_dalek;
+use curve25519_dalek::ristretto::CompressedRistretto;
+use curve25519_dalek::scalar::Scalar;
+
+extern crate merlin;
+use merlin::Transcript;
+
+extern crate rand;
+use rand::Rng;
+
+/* 
+K-SHUFFLE GADGET SPECIFICATION:
+
+Represents a permutation of a list of `k` scalars `{x_i}` into a list of `k` scalars `{y_i}`.
+
+Algebraically it can be expressed as a statement that for a free variable `z`, 
+the roots of the two polynomials in terms of `z` are the same up to a permutation:
+
+    ∏(x_i - z) == ∏(y_i - z)
+
+Prover can commit to blinded scalars `x_i` and `y_i` then receive a random challenge `z`, 
+and build a proof that the above relation holds.
+
+K-shuffle requires `2*(K-1)` multipliers.
+
+For K > 1:
+
+        (x_0 - z)---⊗------⊗---(y_0 - z)        // mulx[0], muly[0]
+                    |      |
+        (x_1 - z)---⊗      ⊗---(y_1 - z)        // mulx[1], muly[1]
+                    |      |
+                   ...    ...
+                    |      |
+    (x_{k-2} - z)---⊗      ⊗---(y_{k-2} - z)    // mulx[k-2], muly[k-2]
+                   /        \
+    (x_{k-1} - z)_/          \_(y_{k-1} - z)
+
+    // Connect left and right sides of the shuffle statement
+    mulx_out[0] = muly_out[0]
+
+    // For i == [0, k-3]:
+    mulx_left[i]  = x_i - z
+    mulx_right[i] = mulx_out[i+1]
+    muly_left[i]  = y_i - z
+    muly_right[i] = muly_out[i+1]
+
+    // last multipliers connect two last variables (on each side)
+    mulx_left[k-2]  = x_{k-2} - z
+    mulx_right[k-2] = x_{k-1} - z
+    muly_left[k-2]  = y_{k-2} - z
+    muly_right[k-2] = y_{k-1} - z
+
+For K = 1:
+
+    (x_0 - z)--------------(y_0 - z)
+
+    // Connect x to y directly, omitting the challenge entirely as it cancels out
+    x_0 = y_0
+*/
+
+// Make a gadget that adds constraints to a ConstraintSystem, such that the
+// y variables are constrained to be a valid shuffle of the x variables.
+struct KShuffleGadget {}
+
+impl KShuffleGadget {
+    fn fill_cs<CS: ConstraintSystem>(cs: &mut CS, x: &[Variable], y: &[Variable]) {
+        let one = Scalar::one();
+        let z = cs.challenge_scalar(b"k-scalar shuffle challenge");
+
+        assert_eq!(x.len(), y.len());
+
+        let k = x.len();
+        if k == 1 {
+            cs.add_auxiliary_constraint([(x[0], -one), (y[0], one)].iter().collect());
+            return;
+        }
+
+        // Make last x multiplier for i = k-1 and k-2
+        let (_, _, last_mulx_out) = cs.add_partial_constraint(x[k - 1] - z, x[k - 2] - z);
+
+        // Make multipliers for x from i == [0, k-3]
+        let first_mulx_out = (0..k - 2).rev().fold(last_mulx_out, |prev_out, i| {
+            let (_, _, o) = cs.add_partial_constraint(prev_out.into(), x[i] - z);
+            o
+        });
+
+        // Make last y multiplier for i = k-1 and k-2
+        let (_, _, last_muly_out) = cs.add_partial_constraint(y[k - 1] - z, y[k - 2] - z);
+
+        // Make multipliers for y from i == [0, k-3]
+        let first_muly_out = (0..k - 2).rev().fold(last_muly_out, |prev_out, i| {
+            let (_, _, o) = cs.add_partial_constraint(prev_out.into(), y[i] - z);
+            o
+        });
+
+        // Check equality between last x mul output and last y mul output
+        cs.add_auxiliary_constraint(
+            [(first_muly_out, -one), (first_mulx_out, one)]
+                .iter()
+                .collect(),
+        );
+    }
+
+    pub fn prove<'a, 'b>(
+        pc_gens: &'b PedersenGens,
+        bp_gens: &'b BulletproofGens,
+        transcript: &'a mut Transcript,
+        input: &[Scalar],
+        output: &[Scalar],
+    ) -> Result<(R1CSProof, Vec<CompressedRistretto>), R1CSError> {
+        let k = input.len();
+
+        // Prover makes a `ConstraintSystem` instance representing a shuffle gadget
+        // Make v vector
+        let mut v = Vec::with_capacity(2 * k);
+        v.extend_from_slice(input);
+        v.extend_from_slice(output);
+
+        // Make v_blinding vector using RNG from transcript
+        let mut rng = {
+            let mut builder = transcript.build_rng();
+            // commit the secret values
+            for &v_i in &v {
+                builder = builder.commit_witness_bytes(b"v_i", v_i.as_bytes());
+            }
+            use rand::thread_rng;
+            builder.finalize(&mut thread_rng())
+        };
+        let v_blinding: Vec<Scalar> = (0..2 * k).map(|_| Scalar::random(&mut rng)).collect();
+        let (mut prover_cs, variables, commitments) =
+            ProverCS::new(&bp_gens, &pc_gens, transcript, v, v_blinding.clone());
+
+        // Prover allocates variables and adds constraints to the constraint system
+        let (input_vars, output_vars) = variables.split_at(k);
+        KShuffleGadget::fill_cs(&mut prover_cs, input_vars, output_vars);
+
+        // Prover generates proof
+        let proof = prover_cs.prove()?;
+        Ok((proof, commitments))
+    }
+
+    pub fn verify<'a, 'b>(
+        pc_gens: &'b PedersenGens,
+        bp_gens: &'b BulletproofGens,
+        transcript: &'a mut Transcript,
+        proof: &R1CSProof,
+        commitments: &Vec<CompressedRistretto>,
+    ) -> Result<(), R1CSError> {
+        let k = commitments.len() / 2;
+
+        // Verifier makes a `ConstraintSystem` instance representing a shuffle gadget
+        let (mut verifier_cs, variables) =
+            VerifierCS::new(&bp_gens, &pc_gens, transcript, commitments.to_vec());
+
+        // Verifier allocates variables and adds constraints to the constraint system
+        let (input_vars, output_vars) = variables.split_at(k);
+        KShuffleGadget::fill_cs(&mut verifier_cs, input_vars, output_vars);
+
+        // Verifier verifies proof
+        verifier_cs.verify(&proof)
+    }
+}
+
+fn kshuffle_prove_helper(k: usize, c: &mut Criterion) {
+    let label = format!("{}-shuffle proof creation", k);
+
+    c.bench_function(&label, move |b| {
+        // Generate inputs and outputs to kshuffle
+        let mut rng = rand::thread_rng();
+        let (min, max) = (0u64, std::u64::MAX);
+        let input: Vec<Scalar> = (0..k)
+            .map(|_| Scalar::from(rng.gen_range(min, max)))
+            .collect();
+        let mut output = input.clone();
+        rand::thread_rng().shuffle(&mut output);
+
+        // Make kshuffle proof
+        let pc_gens = PedersenGens::default();
+        let bp_gens = BulletproofGens::new(128, 1);
+        b.iter(|| {
+            let mut prover_transcript = Transcript::new(b"ShuffleTest");
+            KShuffleGadget::prove(&pc_gens, &bp_gens, &mut prover_transcript, &input, &output)
+                .unwrap();
+        })
+    });
+}
+
+fn kshuffle_prove_8(c: &mut Criterion) {
+    kshuffle_prove_helper(8, c);
+}
+fn kshuffle_prove_16(c: &mut Criterion) {
+    kshuffle_prove_helper(16, c);
+}
+fn kshuffle_prove_32(c: &mut Criterion) {
+    kshuffle_prove_helper(32, c);
+}
+fn kshuffle_prove_64(c: &mut Criterion) {
+    kshuffle_prove_helper(64, c);
+}
+fn kshuffle_prove_17(c: &mut Criterion) {
+    kshuffle_prove_helper(17, c);
+}
+
+criterion_group!{
+    name = kshuffle_prove;
+    config = Criterion::default();
+    targets =
+    kshuffle_prove_8,
+    kshuffle_prove_16,
+    kshuffle_prove_32,
+    kshuffle_prove_64,
+    kshuffle_prove_17,
+}
+
+fn kshuffle_verify_helper(k: usize, c: &mut Criterion) {
+    let label = format!("{}-shuffle proof verification", k);
+
+    c.bench_function(&label, move |b| {
+        // Generate inputs and outputs to kshuffle
+        let mut rng = rand::thread_rng();
+        let (min, max) = (0u64, std::u64::MAX);
+        let input: Vec<Scalar> = (0..k)
+            .map(|_| Scalar::from(rng.gen_range(min, max)))
+            .collect();
+        let mut output = input.clone();
+        rand::thread_rng().shuffle(&mut output);
+
+        // Make kshuffle proof
+        let pc_gens = PedersenGens::default();
+        let bp_gens = BulletproofGens::new(128, 1);
+        let mut prover_transcript = Transcript::new(b"ShuffleTest");
+        let (proof, commitments) =
+            KShuffleGadget::prove(&pc_gens, &bp_gens, &mut prover_transcript, &input, &output)
+                .unwrap();
+
+        // Verify kshuffle proof
+        b.iter(|| {
+            let mut verifier_transcript = Transcript::new(b"ShuffleTest");
+            KShuffleGadget::verify(
+                &pc_gens,
+                &bp_gens,
+                &mut verifier_transcript,
+                &proof,
+                &commitments,
+            )
+            .unwrap();
+        })
+    });
+}
+
+fn kshuffle_verify_8(c: &mut Criterion) {
+    kshuffle_verify_helper(8, c);
+}
+fn kshuffle_verify_16(c: &mut Criterion) {
+    kshuffle_verify_helper(16, c);
+}
+fn kshuffle_verify_32(c: &mut Criterion) {
+    kshuffle_verify_helper(32, c);
+}
+fn kshuffle_verify_64(c: &mut Criterion) {
+    kshuffle_verify_helper(64, c);
+}
+fn kshuffle_verify_17(c: &mut Criterion) {
+    kshuffle_verify_helper(17, c);
+}
+
+criterion_group!{
+    name = kshuffle_verify;
+    config = Criterion::default();
+    targets =
+    kshuffle_verify_8,
+    kshuffle_verify_16,
+    kshuffle_verify_32,
+    kshuffle_verify_64,
+    kshuffle_verify_17,
+}
+
+criterion_main!(kshuffle_prove, kshuffle_verify);

benches/bulletproofs.rs renamed to benches/range_proof.rs

@@ -88,7 +88,8 @@ fn verify_aggregated_rangeproof_helper(n: usize, c: &mut Criterion) {
                 &values,
                 &blindings,
                 n,
-            ).unwrap();
+            )
+            .unwrap();
 
             b.iter(|| {
                 // Each proof creation requires a clean transcript.

docs/aggregation-api.md

@@ -1,4 +1,6 @@
-The `aggregation` module contains the API for performing the aggregated multiparty computation protocol.
+The `range_proof_mpc` module contains the API for performing the aggregated multiparty computation protocol for joint range proof proving.
+
+Only the range proofs are supported, while aggregation of constraint system proofs is under development.
 
 API for the aggregated multiparty computation protocol 
 ------------------------------------------------------