Merge pull request #4 from davxy/ark-transcript

Switch to ark-transcript

Cargo.toml

@@ -12,5 +12,4 @@ ark-ec = { version = "0.4", default-features = false }
 ark-poly = { version = "0.4", default-features = false }
 ark-serialize = { version = "0.4", default-features = false, features = ["derive"] }
 fflonk = { git = "https://github.com/w3f/fflonk", default-features = false }
-merlin = { version = "3.0", default-features = false }
 rayon = { version = "1", default-features = false }

common/Cargo.toml

@@ -14,10 +14,8 @@ ark-ec.workspace = true
 ark-poly.workspace = true
 ark-serialize.workspace = true
 fflonk.workspace = true
-merlin.workspace = true
 rayon = { workspace = true, optional = true }
 getrandom_or_panic = { version = "0.0.3", default-features = false }
-rand_chacha = { version = "0.3.1", default-features = false }
 
 [dev-dependencies]
 ark-ed-on-bls12-381-bandersnatch = { version = "0.4", default-features = false }
@@ -31,8 +29,7 @@ std = [
   "ark-poly/std",
   "ark-serialize/std",
   "fflonk/std",
-  "merlin/std",
-  "getrandom_or_panic/std"
+  "getrandom_or_panic/std",
 ]
 parallel = [
   "std",

common/src/prover.rs

@@ -7,17 +7,17 @@ use fflonk::pcs::PCS;
 
 use crate::piop::ProverPiop;
 use crate::Proof;
-use crate::transcript::Transcript;
+use crate::transcript::PlonkTranscript;
 
-pub struct PlonkProver<F: PrimeField, CS: PCS<F>, T: Transcript<F, CS>> {
+pub struct PlonkProver<F: PrimeField, CS: PCS<F>, T: PlonkTranscript<F, CS>> {
     // Polynomial commitment scheme committer's key.
     pcs_ck: CS::CK,
     // Transcript,
     // initialized with the public parameters and the commitments to the precommitted columns.
     transcript_prelude: T,
 }
 
-impl<F: PrimeField, CS: PCS<F>, T: Transcript<F, CS>> PlonkProver<F, CS, T> {
+impl<F: PrimeField, CS: PCS<F>, T: PlonkTranscript<F, CS>> PlonkProver<F, CS, T> {
     pub fn init(pcs_ck: CS::CK,
                 verifier_key: impl CanonicalSerialize, //TODO: a type,
                 empty_transcript: T) -> Self {

common/src/transcript.rs

@@ -1,14 +1,12 @@
 use ark_ff::PrimeField;
 use ark_poly::GeneralEvaluationDomain;
 use ark_serialize::CanonicalSerialize;
-use ark_std::{vec, vec::Vec};
-use ark_std::rand::SeedableRng;
+use ark_std::{vec::Vec, rand::RngCore};
 use fflonk::pcs::{PCS, PcsParams};
-use rand_chacha::ChaCha20Rng;
 
 use crate::{ColumnsCommited, ColumnsEvaluated};
 
-pub trait Transcript<F: PrimeField, CS: PCS<F>>: Clone {
+pub trait PlonkTranscript<F: PrimeField, CS: PCS<F>>: Clone {
     fn add_protocol_params(&mut self, domain: &GeneralEvaluationDomain<F>, pcs_raw_vk: &<CS::Params as PcsParams>::RVK) {
         self._add_serializable(b"domain", domain);
         self._add_serializable(b"pcs_raw_vk", pcs_raw_vk);
@@ -26,14 +24,6 @@ pub trait Transcript<F: PrimeField, CS: PCS<F>>: Clone {
         self._add_serializable(b"committed_cols", committed_cols);
     }
 
-    // fn get_bitmask_aggregation_challenge(&mut self) -> Fr {
-    //     self._get_128_bit_challenge(b"bitmask_aggregation")
-    // }
-
-    // fn append_2nd_round_register_commitments(&mut self, register_commitments: &impl RegisterCommitments) {
-    //     self._append_serializable(b"2nd_round_register_commitments", register_commitments);
-    // }
-
     fn get_constraints_aggregation_coeffs(&mut self, n: usize) -> Vec<F> {
         self._128_bit_coeffs(b"constraints_aggregation", n)
     }
@@ -63,25 +53,5 @@ pub trait Transcript<F: PrimeField, CS: PCS<F>>: Clone {
 
     fn _add_serializable(&mut self, label: &'static [u8], message: &impl CanonicalSerialize);
 
-    fn to_rng(self) -> ChaCha20Rng;
+    fn to_rng(self) -> impl RngCore;
 }
-
-impl<F: PrimeField, CS: PCS<F>> Transcript<F, CS> for merlin::Transcript {
-    fn _128_bit_point(&mut self, label: &'static [u8]) -> F {
-        let mut buf = [0u8; 16];
-        self.challenge_bytes(label, &mut buf);
-        F::from_random_bytes(&buf).unwrap()
-    }
-
-    fn _add_serializable(&mut self, label: &'static [u8], message: &impl CanonicalSerialize) {
-        let mut buf = vec![0; message.uncompressed_size()];
-        message.serialize_uncompressed(&mut buf).unwrap();
-        self.append_message(label, &buf);
-    }
-
-    fn to_rng(mut self) -> ChaCha20Rng {
-        let mut buf = [0u8; 32];
-        self.challenge_bytes(b"transcript_rng", &mut buf);
-        ChaCha20Rng::from_seed(buf)
-    }
-}

common/src/verifier.rs

@@ -1,23 +1,22 @@
 use ark_ff::{Field, PrimeField};
 use ark_serialize::CanonicalSerialize;
-use ark_std::{vec, vec::Vec};
+use ark_std::{vec, vec::Vec, rand::RngCore};
 use ark_std::rand::Rng;
 use fflonk::pcs::{Commitment, PCS, PcsParams};
-use rand_chacha::ChaCha20Rng;
 
 use crate::{ColumnsCommited, ColumnsEvaluated, Proof};
 use crate::piop::VerifierPiop;
-use crate::transcript::Transcript;
+use crate::transcript::PlonkTranscript;
 
-pub struct PlonkVerifier<F: PrimeField, CS: PCS<F>, T: Transcript<F, CS>> {
+pub struct PlonkVerifier<F: PrimeField, CS: PCS<F>, T: PlonkTranscript<F, CS>> {
     // Polynomial commitment scheme verifier's key.
     pcs_vk: CS::VK,
     // Transcript,
     // initialized with the public parameters and the commitments to the precommitted columns.
     transcript_prelude: T,
 }
 
-impl<F: PrimeField, CS: PCS<F>, T: Transcript<F, CS>> PlonkVerifier<F, CS, T> {
+impl<F: PrimeField, CS: PCS<F>, T: PlonkTranscript<F, CS>> PlonkVerifier<F, CS, T> {
     pub fn init(pcs_vk: <CS::Params as PcsParams>::VK,
                 verifier_key: &impl CanonicalSerialize,
                 empty_transcript: T) -> Self {
@@ -74,7 +73,7 @@ impl<F: PrimeField, CS: PCS<F>, T: Transcript<F, CS>> PlonkVerifier<F, CS, T> {
         proof: &Proof<F, CS, Commitments, Evaluations>,
         n_polys: usize,
         n_constraints: usize,
-    ) -> (Challenges<F>, ChaCha20Rng)
+    ) -> (Challenges<F>, impl RngCore)
         where
             Commitments: ColumnsCommited<F, CS::C>,
             Evaluations: ColumnsEvaluated<F>,

ring/Cargo.toml

@@ -14,12 +14,11 @@ ark-ec.workspace = true
 ark-poly.workspace = true
 ark-serialize.workspace = true
 fflonk.workspace = true
-merlin.workspace = true
 rayon = { workspace = true, optional = true }
 common = { path = "../common", default-features = false }
 blake2 = { version = "0.10", default-features = false }
 arrayvec = { version = "0.7", default-features = false }
-rand_chacha = { version = "0.3.1", default-features = false }
+ark-transcript = { git = "https://github.com/w3f/ark-transcript", rev = "288e49d", default-features = false }
 
 [dev-dependencies]
 ark-bls12-381 = { version = "0.4", default-features = false, features = ["curve"] }
@@ -33,7 +32,6 @@ std = [
   "ark-ec/std",
   "ark-poly/std",
   "ark-serialize/std",
-  "merlin/std",
   "fflonk/std",
   "common/std"
 ]

ring/src/lib.rs

@@ -1,8 +1,9 @@
 #![cfg_attr(not(feature = "std"), no_std)]
 
-use ark_ec::AffineRepr;
-use ark_ec::short_weierstrass::{Affine, SWCurveConfig};
-use ark_ff::{One, Zero};
+use ark_ec::{short_weierstrass::{Affine, SWCurveConfig}, AffineRepr};
+use ark_ff::{One, PrimeField, Zero};
+use ark_serialize::CanonicalSerialize;
+use ark_std::rand::RngCore;
 use fflonk::pcs::PCS;
 
 pub use common::domain::Domain;
@@ -22,9 +23,6 @@ pub type RingProof<F, CS> = Proof<F, CS, RingCommitments<F, <CS as PCS<F>>::C>,
 /// Polynomial Commitment Schemes.
 pub use fflonk::pcs;
 
-/// Transcript for `RingProver` and `RingVerifier` construction.
-pub use merlin::Transcript;
-
 // Calling the method for a prime-order curve results in an infinite loop.
 pub fn find_complement_point<Curve: SWCurveConfig>() -> Affine<Curve> {
     let mut x = Curve::BaseField::zero();
@@ -37,13 +35,46 @@ pub fn find_complement_point<Curve: SWCurveConfig>() -> Affine<Curve> {
     }
 }
 
-pub fn hash_to_curve<A: AffineRepr>(message: &[u8]) -> A {
+// Try and increment hash to curve.
+pub(crate) fn hash_to_curve<F: PrimeField, Curve: SWCurveConfig<BaseField = F>>(message: &[u8]) -> Affine<Curve> {
     use blake2::Digest;
-    use ark_std::rand::SeedableRng;
+    let mut seed = message.to_vec();
+    let cnt_offset = seed.len();
+    seed.push(0);
+    loop {
+        let hash: [u8; 64] = blake2::Blake2b::digest(&seed[..]).into();
+        let x = F::from_le_bytes_mod_order(&hash);
+        if let Some(point) = Affine::<Curve>::get_point_from_x_unchecked(x, false) {
+            let point = point.clear_cofactor();
+            assert!(point.is_in_correct_subgroup_assuming_on_curve());
+            return point
+        }
+        seed[cnt_offset] += 1;
+    }
+}
+
+#[derive(Clone)]
+pub struct ArkTranscript(ark_transcript::Transcript);
+
+impl<F: PrimeField, CS: PCS<F>> common::transcript::PlonkTranscript<F, CS> for ArkTranscript {
+    fn _128_bit_point(&mut self, label: &'static [u8]) -> F {
+        self.0.challenge(label).read_reduce()
+    }
+
+    fn _add_serializable(&mut self, label: &'static [u8], message: &impl CanonicalSerialize) {
+        self.0.label(label);
+        self.0.append(message);
+    }
 
-    let seed = blake2::Blake2s::digest(message);
-    let rng = &mut rand_chacha::ChaCha12Rng::from_seed(seed.into());
-    A::rand(rng)
+    fn to_rng(mut self) -> impl RngCore {
+        self.0.challenge(b"transcript_rng")
+    }
+}
+
+impl ArkTranscript {
+    pub fn new(label: &'static [u8]) -> Self {
+        Self(ark_transcript::Transcript::new_labeled(label))
+    }
 }
 
 #[cfg(test)]
@@ -56,7 +87,6 @@ mod tests {
     use ark_std::ops::Mul;
     use ark_std::rand::Rng;
     use fflonk::pcs::kzg::KZG;
-    use merlin::Transcript;
 
     use common::test_helpers::random_vec;
 
@@ -83,12 +113,12 @@ mod tests {
         // PROOF generation
         let secret = Fr::rand(rng); // prover's secret scalar
         let result = piop_params.h.mul(secret) + pk;
-        let ring_prover = RingProver::init(prover_key, piop_params.clone(), k, Transcript::new(b"ring-vrf-test"));
+        let ring_prover = RingProver::init(prover_key, piop_params.clone(), k, ArkTranscript::new(b"ring-vrf-test"));
         let t_prove = start_timer!(|| "Prove");
         let proof = ring_prover.prove(secret);
         end_timer!(t_prove);
 
-        let ring_verifier = RingVerifier::init(verifier_key, piop_params, Transcript::new(b"ring-vrf-test"));
+        let ring_verifier = RingVerifier::init(verifier_key, piop_params, ArkTranscript::new(b"ring-vrf-test"));
         let t_verify = start_timer!(|| "Verify");
         let res = ring_verifier.verify_ring_proof(proof, result.into_affine());
         end_timer!(t_verify);

ring/src/piop/params.rs

@@ -32,7 +32,7 @@ pub struct PiopParams<F: PrimeField, Curve: SWCurveConfig<BaseField=F>> {
 
 impl<F: PrimeField, Curve: SWCurveConfig<BaseField=F>> PiopParams<F, Curve> {
     pub fn setup(domain: Domain<F>, h: Affine<Curve>, seed: Affine<Curve>) -> Self {
-        let padding_point = crate::hash_to_curve::<Affine<Curve>>(b"w3f/ring-proof/common/padding");
+        let padding_point = crate::hash_to_curve(b"/w3f/ring-proof/padding");
         let scalar_bitlen = Curve::ScalarField::MODULUS_BIT_SIZE as usize;
         // 1 accounts for the last cells of the points and bits columns that remain unconstrained
         let keyset_part_size = domain.capacity - scalar_bitlen - 1;

ring/src/ring_prover.rs

@@ -3,24 +3,37 @@ use ark_ff::PrimeField;
 use fflonk::pcs::PCS;
 
 use common::prover::PlonkProver;
+use common::transcript::PlonkTranscript;
 
 use crate::piop::{FixedColumns, PiopProver, ProverKey};
 use crate::piop::params::PiopParams;
-use crate::RingProof;
-
-pub struct RingProver<F: PrimeField, CS: PCS<F>, Curve: SWCurveConfig<BaseField=F>> {
+use crate::{ArkTranscript, RingProof};
+
+pub struct RingProver<F, CS, Curve, T = ArkTranscript>
+where
+    F: PrimeField,
+    CS: PCS<F>,
+    Curve: SWCurveConfig<BaseField=F>,
+    T: PlonkTranscript<F, CS>,
+{
     piop_params: PiopParams<F, Curve>,
     fixed_columns: FixedColumns<F, Affine<Curve>>,
     k: usize,
-    plonk_prover: PlonkProver<F, CS, merlin::Transcript>,
+    plonk_prover: PlonkProver<F, CS, T>,
 }
 
 
-impl<F: PrimeField, CS: PCS<F>, Curve: SWCurveConfig<BaseField=F>> RingProver<F, CS, Curve> {
+impl<F, CS, Curve, T> RingProver<F, CS, Curve, T>
+where
+    F: PrimeField,
+    CS: PCS<F>,
+    Curve: SWCurveConfig<BaseField=F>,
+    T: PlonkTranscript<F, CS>,
+{
     pub fn init(prover_key: ProverKey<F, CS, Affine<Curve>>,
                 piop_params: PiopParams<F, Curve>,
                 k: usize,
-                empty_transcript: merlin::Transcript,
+                empty_transcript: T,
     ) -> Self {
         let ProverKey { pcs_ck, fixed_columns, verifier_key } = prover_key;
 

ring/src/ring_verifier.rs

@@ -5,22 +5,35 @@ use fflonk::pcs::{PCS, RawVerifierKey};
 
 use common::domain::EvaluatedDomain;
 use common::piop::VerifierPiop;
+use common::transcript::PlonkTranscript;
 use common::verifier::PlonkVerifier;
 
 use crate::piop::{FixedColumnsCommitted, PiopVerifier, VerifierKey};
 use crate::piop::params::PiopParams;
-use crate::RingProof;
+use crate::{ArkTranscript, RingProof};
 
-pub struct RingVerifier<F: PrimeField, CS: PCS<F>, Curve: SWCurveConfig<BaseField=F>> {
+pub struct RingVerifier<F, CS, Curve, T = ArkTranscript>
+where
+    F: PrimeField,
+    CS: PCS<F>,
+    Curve: SWCurveConfig<BaseField=F>,
+    T: PlonkTranscript<F, CS>,
+{
     piop_params: PiopParams<F, Curve>,
     fixed_columns_committed: FixedColumnsCommitted<F, CS::C>,
-    plonk_verifier: PlonkVerifier<F, CS, merlin::Transcript>,
+    plonk_verifier: PlonkVerifier<F, CS, T>,
 }
 
-impl<F: PrimeField, CS: PCS<F>, Curve: SWCurveConfig<BaseField=F>> RingVerifier<F, CS, Curve> {
+impl<F, CS, Curve, T> RingVerifier<F, CS, Curve, T>
+where
+    F: PrimeField,
+    CS: PCS<F>,
+    Curve: SWCurveConfig<BaseField=F>,
+    T: PlonkTranscript<F, CS>,
+{
     pub fn init(verifier_key: VerifierKey<F, CS>,
                 piop_params: PiopParams<F, Curve>,
-                empty_transcript: merlin::Transcript,
+                empty_transcript: T,
     ) -> Self {
         let pcs_vk = verifier_key.pcs_raw_vk.prepare();
         let plonk_verifier = PlonkVerifier::init(pcs_vk, &verifier_key, empty_transcript);