Compute digest of public parameters for strong Fiat-Shamir

Author: winderica

crates/fs/src/definitions/keys.rs

@@ -1,10 +1,11 @@
 //! Traits and abstractions for folding scheme keys.
 
+use ark_serialize::{CanonicalDeserialize, CanonicalSerialize};
 use sonobe_primitives::arithmetizations::ArithConfig;
 
 /// [`DeciderKey`] defines the information that a folding scheme's decider key
 /// should include or provide access to.
-pub trait DeciderKey {
+pub trait DeciderKey: CanonicalSerialize + CanonicalDeserialize {
     /// [`DeciderKey::ProverKey`] is the type of the prover key contained in the
     /// decider key.
     type ProverKey;

crates/fs/src/nova/keys/mod.rs

@@ -1,6 +1,7 @@
 //! Definitions of Nova keys and trait implementations for relation checks and
 //! witness-instance sampling using Nova keys.
 
+use ark_serialize::{CanonicalDeserialize, CanonicalSerialize};
 use ark_std::{UniformRand, rand::RngCore, sync::Arc};
 use sonobe_primitives::{
     arithmetizations::{
@@ -19,8 +20,8 @@ use super::{
 use crate::{DeciderKey, Error, PlainInstance as PU, PlainWitness as PW};
 
 /// [`NovaKey`] is Nova's decider key.
-#[derive(Clone)]
-pub struct NovaKey<A, CM: CommitmentDef> {
+#[derive(Clone, CanonicalSerialize, CanonicalDeserialize)]
+pub struct NovaKey<A: Arith, CM: CommitmentDef> {
     pub(super) arith: Arc<A>,
     pub(super) ck: Arc<CM::Key>,
 }
@@ -88,7 +89,7 @@ where
     }
 }
 
-impl<A, CM: CommitmentOps> WitnessInstanceSampler<IW<CM>, IU<CM>> for NovaKey<A, CM> {
+impl<A: Arith, CM: CommitmentOps> WitnessInstanceSampler<IW<CM>, IU<CM>> for NovaKey<A, CM> {
     type Source = AssignmentsOwned<CM::Scalar>;
     type Error = Error;
 
@@ -99,7 +100,7 @@ impl<A, CM: CommitmentOps> WitnessInstanceSampler<IW<CM>, IU<CM>> for NovaKey<A,
     }
 }
 
-impl<A, CM: CommitmentDef> WitnessInstanceSampler<PW<CM::Scalar>, PU<CM::Scalar>>
+impl<A: Arith, CM: CommitmentDef> WitnessInstanceSampler<PW<CM::Scalar>, PU<CM::Scalar>>
     for NovaKey<A, CM>
 {
     type Source = AssignmentsOwned<CM::Scalar>;

crates/ivc/Cargo.toml

@@ -11,8 +11,10 @@ ark-ec = { workspace = true }
 ark-ff = { workspace = true, features = ["asm"] }
 ark-r1cs-std = { workspace = true }
 ark-relations = { workspace = true }
+ark-serialize = { workspace = true }
 ark-std = { workspace = true, features = ["getrandom"] }
 num-bigint = { workspace = true, features = ["rand"] }
+sha3 = { workspace = true }
 thiserror = { workspace = true }
 
 sonobe-primitives = { workspace = true }

crates/ivc/src/compilers/cyclefold/mod.rs

@@ -1,12 +1,25 @@
-//! Implementation of the CycleFold-based IVC compiler.
+//! Implementation of the CycleFold-based IVC compiler as described in this
+//! [paper].
 //!
 //! It turns any compatible folding scheme into a full IVC scheme by running the
 //! primary circuit on one curve and a "CycleFold" circuit on the secondary
 //! curve to handle emulated elliptic curve operations.
+//!
+//! [paper]: https://eprint.iacr.org/2023/1192.pdf
 
-use ark_ff::Zero;
+use ark_ff::field_hashers::hash_to_field;
 use ark_relations::gr1cs::{ConstraintSystem, SynthesisError};
-use ark_std::{borrow::Borrow, marker::PhantomData, rand::RngCore};
+use ark_serialize::CanonicalSerialize;
+use ark_std::{
+    borrow::Borrow,
+    io::{Error as IoError, Write},
+    marker::PhantomData,
+    rand::RngCore,
+};
+use sha3::{
+    Shake128,
+    digest::{ExtendableOutput, Update},
+};
 use sonobe_fs::{
     DeciderKey, FoldingInstance, FoldingSchemeDef, FoldingSchemeDefGadget,
     FoldingSchemeFullVerifierGadget, FoldingSchemePartialVerifierGadget,
@@ -214,7 +227,28 @@ where
         let dk1 = FS1::generate_keys(pp1, arith1)?;
         let dk2 = FS2::generate_keys(pp2, arith2)?;
 
-        let pp_hash = Zero::zero(); // TODO
+        struct HashMarshaller<'a>(&'a mut Shake128);
+
+        impl Write for HashMarshaller<'_> {
+            #[inline]
+            fn write(&mut self, buf: &[u8]) -> Result<usize, IoError> {
+                self.0.update(buf);
+                Ok(buf.len())
+            }
+
+            #[inline]
+            fn flush(&mut self) -> Result<(), IoError> {
+                Ok(())
+            }
+        }
+
+        let pp_hash = {
+            let mut shake = Shake128::default();
+            dk1.serialize_compressed(HashMarshaller(&mut shake))?;
+            dk2.serialize_compressed(HashMarshaller(&mut shake))?;
+            hash_config.serialize_compressed(HashMarshaller(&mut shake))?;
+            hash_to_field::<_, _, 128>(&mut shake.finalize_xof())
+        };
 
         Ok((
             Key(dk1.clone(), dk2.clone(), (hash_config.clone(), pp_hash)),

crates/ivc/src/lib.rs

@@ -8,6 +8,7 @@
 
 use ark_ff::PrimeField;
 use ark_relations::gr1cs::SynthesisError;
+use ark_serialize::SerializationError;
 use ark_std::rand::RngCore;
 use sonobe_fs::Error as FoldingError;
 use sonobe_primitives::{arithmetizations::Error as ArithError, circuits::FCircuit, traits::Dummy};
@@ -22,6 +23,9 @@ pub enum Error {
     /// system.
     #[error(transparent)]
     ArithError(#[from] ArithError),
+    /// [`Error::SerializationError`] indicates an error during serialization.
+    #[error(transparent)]
+    SerializationError(#[from] SerializationError),
     /// [`Error::FoldingError`] indicates an error from the underlying folding
     /// scheme.
     #[error(transparent)]

crates/primitives/src/arithmetizations/ccs/mod.rs

@@ -22,6 +22,7 @@
 use ark_ff::Field;
 use ark_poly::DenseMultilinearExtension;
 use ark_relations::gr1cs::{ConstraintSystem, Matrix};
+use ark_serialize::{CanonicalDeserialize, CanonicalSerialize};
 use ark_std::{borrow::Borrow, cfg_into_iter, cfg_iter, fmt::Debug, marker::PhantomData};
 #[cfg(feature = "parallel")]
 use rayon::prelude::*;
@@ -37,7 +38,7 @@ pub mod circuits;
 
 /// [`CCSVariant`] defines the methods that a CCS variant (e.g., R1CS) should
 /// implement.
-pub trait CCSVariant: Clone + Debug + PartialEq + Default + Sync {
+pub trait CCSVariant: Clone + Debug + PartialEq + Default + Sync + Send {
     /// [`CCSVariant::n_matrices`] returns the number of matrices in the CCS
     /// variant.
     fn n_matrices() -> usize;
@@ -56,7 +57,7 @@ pub trait CCSVariant: Clone + Debug + PartialEq + Default + Sync {
 
 /// [`CCSConfig`] stores the shape parameters of a CCS structure.
 #[allow(non_snake_case)]
-#[derive(Clone, Debug, Default, PartialEq)]
+#[derive(Clone, Debug, Default, PartialEq, CanonicalSerialize, CanonicalDeserialize)]
 pub struct CCSConfig<V: CCSVariant> {
     _v: PhantomData<V>,
     /// m: number of rows in M_i (such that M_i \in F^{m, n})
@@ -114,7 +115,7 @@ impl<F: Field, V: CCSVariant> From<&ConstraintSystem<F>> for CCSConfig<V> {
 
 /// [`CCS`] holds the CCS matrices `M` together with the configuration.
 #[allow(non_snake_case)]
-#[derive(Clone)]
+#[derive(Clone, CanonicalSerialize, CanonicalDeserialize)]
 pub struct CCS<F: Field, V: CCSVariant> {
     cfg: CCSConfig<V>,
 

crates/primitives/src/arithmetizations/mod.rs

@@ -7,6 +7,7 @@
 //! R1CS is the only supported constraint system by ark-relations.
 
 use ark_relations::gr1cs::SynthesisError;
+use ark_serialize::{CanonicalDeserialize, CanonicalSerialize};
 use ark_std::{fmt::Debug, log2};
 use thiserror::Error;
 
@@ -64,7 +65,7 @@ pub trait ArithConfig: Clone + Debug + Default + PartialEq {
 /// define methods to get and set configuration about the constraint system.
 /// In addition to the configuration, the implementor of this trait may also
 /// store the actual constraints and other information.
-pub trait Arith: Clone + Default {
+pub trait Arith: Clone + Default + Send + Sync + CanonicalSerialize + CanonicalDeserialize {
     /// [`Arith::Config`] specifies the arithmetization's configuration.
     type Config: ArithConfig;
 

crates/primitives/src/arithmetizations/r1cs/mod.rs

@@ -3,6 +3,7 @@
 
 use ark_ff::Field;
 use ark_relations::gr1cs::{ConstraintSystem, Matrix, R1CS_PREDICATE_LABEL};
+use ark_serialize::{CanonicalDeserialize, CanonicalSerialize};
 use ark_std::{cfg_into_iter, cfg_iter, iterable::Iterable};
 #[cfg(feature = "parallel")]
 use rayon::prelude::*;
@@ -16,7 +17,7 @@ use crate::{
 pub mod circuits;
 
 /// [`R1CSConfig`] stores the shape parameters of an R1CS structure.
-#[derive(Debug, Clone, Default, PartialEq)]
+#[derive(Debug, Clone, Default, PartialEq, CanonicalSerialize, CanonicalDeserialize)]
 pub struct R1CSConfig {
     m: usize, // number of constraints
     n: usize, // number of variables
@@ -96,7 +97,7 @@ impl CCSVariant for R1CSConfig {
 /// [`R1CS`] holds the three sparse matrices `A`, `B`, `C` together with the
 /// configuration.
 #[allow(non_snake_case)]
-#[derive(Debug, Clone, Default, PartialEq)]
+#[derive(Debug, Clone, Default, PartialEq, CanonicalSerialize, CanonicalDeserialize)]
 pub struct R1CS<F: Field> {
     cfg: R1CSConfig,
     pub(super) A: Matrix<F>,

crates/primitives/src/commitments/mod.rs

@@ -3,6 +3,7 @@
 use ark_ff::UniformRand;
 use ark_r1cs_std::{GR1CSVar, alloc::AllocVar, fields::fp::FpVar, select::CondSelectGadget};
 use ark_relations::gr1cs::SynthesisError;
+use ark_serialize::{CanonicalDeserialize, CanonicalSerialize};
 use ark_std::{
     fmt::Debug,
     iter::Sum,
@@ -42,7 +43,7 @@ pub enum Error {
 
 /// [`CommitmentKey`] represents a commitment key (e.g., a vector of group
 /// generators for many group-based commitment schemes).
-pub trait CommitmentKey: Clone {
+pub trait CommitmentKey: Clone + Send + Sync + CanonicalSerialize + CanonicalDeserialize {
     /// [`CommitmentKey::max_scalars_len`] returns the maximum number of scalars
     /// that can be committed to with this key.
     fn max_scalars_len(&self) -> usize;

crates/primitives/src/commitments/pedersen.rs

@@ -9,6 +9,7 @@ use ark_r1cs_std::{
     boolean::Boolean, convert::ToBitsGadget, eq::EqGadget, fields::fp::FpVar, groups::CurveVar,
 };
 use ark_relations::gr1cs::SynthesisError;
+use ark_serialize::{CanonicalDeserialize, CanonicalSerialize};
 use ark_std::{UniformRand, iter::repeat_with, marker::PhantomData, rand::RngCore};
 
 use super::{CommitmentDef, CommitmentDefGadget, CommitmentKey, CommitmentOps, Error};
@@ -21,7 +22,7 @@ use crate::{
 
 /// [`PedersenKey`] stores the public parameters for the Pedersen commitment
 /// scheme, where `H` controls whether the scheme is hiding or not.
-#[derive(Clone)]
+#[derive(Clone, CanonicalSerialize, CanonicalDeserialize)]
 pub struct PedersenKey<C: SonobeCurve, const H: bool> {
     g: Vec<C::Affine>,
     h: C,