Sumcheck IOP for LogUp-GKR

Cargo.toml

@@ -11,7 +11,7 @@ members = [
   "verifier",
   "winterfell",
   "examples"
-]
+, "sumcheck"]
 resolver = "2"
 
 [profile.release]

air/src/air/mod.rs

@@ -601,3 +601,68 @@ pub trait Air: Send + Sync {
         })
     }
 }
+
+pub trait LogUpGkrEvaluator: Clone {
+    /// Defines the base field of the evaluator.
+    type BaseField: StarkField;
+
+    /// Public inputs need to compute the final claim.
+    type PublicInputs: ToElements<Self::BaseField> + Send;
+
+    /// Gets a list of all oracles involved in LogUp-GKR; this is intended to be used in construction of
+    /// MLEs.
+    fn get_oracles(&self) -> Vec<LogUpGkrOracle<Self::BaseField>>;
+
+    /// Returns the number of random values needed to evaluate a query.
+    fn get_num_rand_values(&self) -> usize;
+
+    /// Returns the number of fractions in the LogUp-GKR statement.
+    fn get_num_fractions(&self) -> usize;
+
+    /// Returns the maximal degree of the multi-variate associated to the input layer.
+    fn max_degree(&self) -> usize;
+
+    /// Builds a query from the provided main trace frame and periodic values.
+    ///
+    /// Note: it should be possible to provide an implementation of this method based on the
+    /// information returned from `get_oracles()`. However, this implementation is likely to be
+    /// expensive compared to the hand-written implementation. However, we could provide a test
+    /// which verifies that `get_oracles()` and `build_query()` methods are consistent.
+    fn build_query<E>(&self, frame: &EvaluationFrame<E>, periodic_values: &[E]) -> Vec<E>
+    where
+        E: FieldElement<BaseField = Self::BaseField>;
+
+    /// Evaluates the provided query and writes the results into the numerators and denominators.
+    ///
+    /// Note: it is also possible to combine `build_query()` and `evaluate_query()` into a single
+    /// method to avoid the need to first build the query struct and then evaluate it. However:
+    /// - We assume that the compiler will be able to optimize this away.
+    /// - Merging the methods will make it more difficult avoid inconsistencies between
+    ///   `evaluate_query()` and `get_oracles()` methods.
+    fn evaluate_query<F, E>(
+        &self,
+        query: &[F],
+        rand_values: &[E],
+        numerator: &mut [E],
+        denominator: &mut [E],
+    ) where
+        F: FieldElement<BaseField = Self::BaseField>,
+        E: FieldElement<BaseField = Self::BaseField> + ExtensionOf<F>;
+
+    /// Computes the final claim for the LogUp-GKR circuit.
+    ///
+    /// The default implementation of this method returns E::ZERO as it is expected that the
+    /// fractional sums will cancel out. However, in cases when some boundary conditions need to
+    /// be imposed on the LogUp-GKR relations, this method can be overridden to compute the final
+    /// expected claim.
+    fn compute_claim<E>(&self, inputs: &Self::PublicInputs, rand_values: &[E]) -> E
+    where
+        E: FieldElement<BaseField = Self::BaseField>;
+}
+
+#[derive(Clone, Debug, PartialEq, PartialOrd, Eq, Ord)]
+pub enum LogUpGkrOracle<B: StarkField> {
+    CurrentRow(usize),
+    NextRow(usize),
+    PeriodicValue(Vec<B>),
+}

air/src/lib.rs

@@ -47,6 +47,6 @@ pub use air::{
     DeepCompositionCoefficients, EvaluationFrame, GkrRandElements, GkrVerifier,
     LagrangeConstraintsCompositionCoefficients, LagrangeKernelBoundaryConstraint,
     LagrangeKernelConstraints, LagrangeKernelEvaluationFrame, LagrangeKernelRandElements,
-    LagrangeKernelTransitionConstraints, TraceInfo, TransitionConstraintDegree,
-    TransitionConstraints,
+    LagrangeKernelTransitionConstraints, LogUpGkrEvaluator, LogUpGkrOracle, TraceInfo,
+    TransitionConstraintDegree, TransitionConstraints,
 };

sumcheck/Cargo.toml

@@ -0,0 +1,31 @@
+[package]
+name = "winter-sumcheck"
+version = "0.1.0"
+description = "Implementation of the sum-check protocol for the LogUp-GKR protocol"
+authors = ["winterfell contributors"]
+readme = "README.md"
+license = "MIT"
+repository = "https://github.com/novifinancial/winterfell"
+documentation = "https://docs.rs/winter-sumcheck/0.1.0"
+categories = ["cryptography", "no-std"]
+keywords = ["crypto", "sumcheck", "iop"]
+edition = "2021"
+rust-version = "1.78"
+
+[features]
+concurrent = ["utils/concurrent", "dep:rayon", "std"]
+default = ["std"]
+std = ["utils/std"]
+
+[dependencies]
+air = { version = "0.9", path = "../air", package = "winter-air", default-features = false }
+crypto = { version = "0.9", path = "../crypto", package = "winter-crypto", default-features = false }
+math = { version = "0.9", path = "../math", package = "winter-math", default-features = false }
+utils = { version = "0.9", path = "../utils/core", package = "winter-utils", default-features = false }
+rayon = { version = "1.8", optional = true }
+smallvec = { version = "1.13", default-features = false }
+thiserror = { version = "1.0", git = "https://github.com/bitwalker/thiserror", branch = "no-std", default-features = false }
+
+[dev-dependencies]
+criterion = "0.5"
+rand-utils = { version = "0.9", path = "../utils/rand", package = "winter-rand-utils" }

sumcheck/src/lib.rs

@@ -0,0 +1,155 @@
+// Copyright (c) Facebook, Inc. and its affiliates.
+//
+// This source code is licensed under the MIT license found in the
+// LICENSE file in the root directory of this source tree.
+
+#![no_std]
+
+use alloc::vec::Vec;
+
+use ::utils::{ByteReader, ByteWriter, Deserializable, DeserializationError, Serializable};
+use math::FieldElement;
+
+#[macro_use]
+extern crate alloc;
+
+mod prover;
+pub use prover::*;
+
+mod verifier;
+pub use verifier::*;
+
+mod utils;
+pub use utils::*;
+
+/// Represents an opening claim at an evaluation point against a batch of oracles.
+///
+/// After verifying [`Proof`], the verifier is left with a question on the validity of a final
+/// claim on a number of oracles open to a given set of values at some given point.
+/// This question is answered either using further interaction with the Prover or using
+/// a polynomial commitment opening proof in the compiled protocol.
+#[derive(Clone, Debug)]
+pub struct FinalOpeningClaim<E> {
+    pub eval_point: Vec<E>,
+    pub openings: Vec<E>,
+}
+
+impl<E: FieldElement> Serializable for FinalOpeningClaim<E> {
+    fn write_into<W: ByteWriter>(&self, target: &mut W) {
+        let Self { eval_point, openings } = self;
+        eval_point.write_into(target);
+        openings.write_into(target);
+    }
+}
+
+impl<E> Deserializable for FinalOpeningClaim<E>
+where
+    E: FieldElement,
+{
+    fn read_from<R: ByteReader>(source: &mut R) -> Result<Self, DeserializationError> {
+        Ok(Self {
+            eval_point: Deserializable::read_from(source)?,
+            openings: Deserializable::read_from(source)?,
+        })
+    }
+}
+
+/// A sum-check proof.
+///
+/// Composed of the round proofs i.e., the polynomials sent by the Prover at each round as well as
+/// the (claimed) openings of the multi-linear oracles at the evaluation point given by the round
+/// challenges.
+#[derive(Debug, Clone)]
+pub struct SumCheckProof<E: FieldElement> {
+    pub openings_claim: FinalOpeningClaim<E>,
+    pub round_proofs: Vec<RoundProof<E>>,
+}
+
+/// A sum-check round proof.
+///
+/// This represents the partial polynomial sent by the Prover during one of the rounds of the
+/// sum-check protocol. The polynomial is in coefficient form and excludes the coefficient for
+/// the linear term as the Verifier can recover it from the other coefficients and the current
+/// (reduced) claim.
+#[derive(Debug, Clone)]
+pub struct RoundProof<E: FieldElement> {
+    pub round_poly_coefs: CompressedUnivariatePoly<E>,
+}
+
+impl<E: FieldElement> Serializable for RoundProof<E> {
+    fn write_into<W: ByteWriter>(&self, target: &mut W) {
+        let Self { round_poly_coefs } = self;
+        round_poly_coefs.write_into(target);
+    }
+}
+
+impl<E> Deserializable for RoundProof<E>
+where
+    E: FieldElement,
+{
+    fn read_from<R: ByteReader>(source: &mut R) -> Result<Self, DeserializationError> {
+        Ok(Self {
+            round_poly_coefs: Deserializable::read_from(source)?,
+        })
+    }
+}
+
+impl<E> Serializable for SumCheckProof<E>
+where
+    E: FieldElement,
+{
+    fn write_into<W: ByteWriter>(&self, target: &mut W) {
+        self.openings_claim.write_into(target);
+        self.round_proofs.write_into(target);
+    }
+}
+
+impl<E> Deserializable for SumCheckProof<E>
+where
+    E: FieldElement,
+{
+    fn read_from<R: ByteReader>(source: &mut R) -> Result<Self, DeserializationError> {
+        Ok(Self {
+            openings_claim: Deserializable::read_from(source)?,
+            round_proofs: Deserializable::read_from(source)?,
+        })
+    }
+}
+
+/// Contains the round challenges sent by the Verifier up to some round as well as the current
+/// reduced claim.
+#[derive(Debug)]
+pub struct SumCheckRoundClaim<E: FieldElement> {
+    pub eval_point: Vec<E>,
+    pub claim: E,
+}
+
+/// The non-linear composition polynomial of the LogUp-GKR protocol specific to the input layer.
+pub fn evaluate_composition_poly<E: FieldElement>(
+    numerators: &[E],
+    denominators: &[E],
+    eq_eval: E,
+    r_sum_check: E,
+    tensored_merge_randomness: &[E],
+) -> E {
+    let numerators = MultiLinearPoly::from_evaluations(numerators.to_vec());
+    let denominators = MultiLinearPoly::from_evaluations(denominators.to_vec());
+
+    let (left_numerators, right_numerators) = numerators.project_least_significant_variable();
+    let (left_denominators, right_denominators) = denominators.project_least_significant_variable();
+
+    let eval_left_numerators =
+        left_numerators.evaluate_with_lagrange_kernel(tensored_merge_randomness);
+    let eval_right_numerators =
+        right_numerators.evaluate_with_lagrange_kernel(tensored_merge_randomness);
+
+    let eval_left_denominators =
+        left_denominators.evaluate_with_lagrange_kernel(tensored_merge_randomness);
+    let eval_right_denominators =
+        right_denominators.evaluate_with_lagrange_kernel(tensored_merge_randomness);
+
+    eq_eval
+        * ((eval_left_numerators * eval_right_denominators
+            + eval_right_numerators * eval_left_denominators)
+            + eval_left_denominators * eval_right_denominators * r_sum_check)
+}

sumcheck/src/prover/error.rs

@@ -0,0 +1,15 @@
+#[derive(Debug, thiserror::Error)]
+pub enum SumCheckProverError {
+    #[error("number of rounds for sum-check must be greater than zero")]
+    NumRoundsZero,
+    #[error("the number of rounds is greater than the number of variables")]
+    TooManyRounds,
+    #[error("should provide at least one multi-linear polynomial as input")]
+    NoMlsProvided,
+    #[error("failed to generate round challenge")]
+    FailedToGenerateChallenge,
+    #[error("the provided multi-linears have different arities")]
+    MlesDifferentArities,
+    #[error("multi-linears should have at least one variable")]
+    AtLeastOneVariable,
+}