Sumcheck IOP for LogUp-GKR

Cargo.toml

@@ -10,8 +10,8 @@ members = [
   "prover",
   "verifier",
   "winterfell",
-  "examples"
-]
+  "examples",
+  "sumcheck",]
 resolver = "2"
 
 [profile.release]

air/src/air/logup_gkr.rs

@@ -0,0 +1,80 @@
+// Copyright (c) Facebook, Inc. and its affiliates.
+//
+// This source code is licensed under the MIT license found in the
+// LICENSE file in the root directory of this source tree.
+
+use alloc::vec::Vec;
+
+use super::EvaluationFrame;
+use math::{ExtensionOf, FieldElement, StarkField, ToElements};
+
+pub trait LogUpGkrEvaluator: Clone + Sync {
+    /// Defines the base field of the evaluator.
+    type BaseField: StarkField;
+
+    /// Public inputs need to compute the final claim.
+    type PublicInputs: ToElements<Self::BaseField> + Send;
+
+    /// Gets a list of all oracles involved in LogUp-GKR; this is intended to be used in construction of
+    /// MLEs.
+    fn get_oracles(&self) -> Vec<LogUpGkrOracle<Self::BaseField>>;
+
+    /// Returns the number of random values needed to evaluate a query.
+    fn get_num_rand_values(&self) -> usize;
+
+    /// Returns the number of fractions in the LogUp-GKR statement.
+    fn get_num_fractions(&self) -> usize;
+
+    /// Returns the maximal degree of the multi-variate associated to the input layer.
+    /// 
+    /// This is equal to the max of $1 + deg_k(\text{numerator}_i) * deg_k(\text{denominator}_j)$ where
+    /// $i$ and $j$ range over the number of numerators and denominators, respectively, and $deg_k$
+    /// is the degree of a multi-variate polynomial in its $k$-th variable.
+    fn max_degree(&self) -> usize;
+
+    /// Builds a query from the provided main trace frame and periodic values.
+    ///
+    /// Note: it should be possible to provide an implementation of this method based on the
+    /// information returned from `get_oracles()`. However, this implementation is likely to be
+    /// expensive compared to the hand-written implementation. However, we could provide a test
+    /// which verifies that `get_oracles()` and `build_query()` methods are consistent.
+    fn build_query<E>(&self, frame: &EvaluationFrame<E>, periodic_values: &[E], query: &mut [E])
+    where
+        E: FieldElement<BaseField = Self::BaseField>;
+
+    /// Evaluates the provided query and writes the results into the numerators and denominators.
+    ///
+    /// Note: it is also possible to combine `build_query()` and `evaluate_query()` into a single
+    /// method to avoid the need to first build the query struct and then evaluate it. However:
+    /// - We assume that the compiler will be able to optimize this away.
+    /// - Merging the methods will make it more difficult avoid inconsistencies between
+    ///   `evaluate_query()` and `get_oracles()` methods.
+    fn evaluate_query<F, E>(
+        &self,
+        query: &[F],
+        rand_values: &[E],
+        numerators: &mut [E],
+        denominators: &mut [E],
+    ) where
+        F: FieldElement<BaseField = Self::BaseField>,
+        E: FieldElement<BaseField = Self::BaseField> + ExtensionOf<F>;
+
+    /// Computes the final claim for the LogUp-GKR circuit.
+    ///
+    /// The default implementation of this method returns E::ZERO as it is expected that the
+    /// fractional sums will cancel out. However, in cases when some boundary conditions need to
+    /// be imposed on the LogUp-GKR relations, this method can be overridden to compute the final
+    /// expected claim.
+    fn compute_claim<E>(&self, _inputs: &Self::PublicInputs, _rand_values: &[E]) -> E
+    where
+        E: FieldElement<BaseField = Self::BaseField>{
+            E::ZERO
+        }
+}
+
+#[derive(Clone, Debug, PartialEq, PartialOrd, Eq, Ord)]
+pub enum LogUpGkrOracle<B: StarkField> {
+    CurrentRow(usize),
+    NextRow(usize),
+    PeriodicValue(Vec<B>),
+}

air/src/air/mod.rs

@@ -34,6 +34,9 @@ pub use lagrange::{
     LagrangeKernelRandElements, LagrangeKernelTransitionConstraints,
 };
 
+mod logup_gkr;
+pub use logup_gkr::{LogUpGkrEvaluator, LogUpGkrOracle};
+
 mod coefficients;
 pub use coefficients::{
     ConstraintCompositionCoefficients, DeepCompositionCoefficients,

air/src/lib.rs

@@ -47,6 +47,6 @@ pub use air::{
     DeepCompositionCoefficients, EvaluationFrame, GkrRandElements, GkrVerifier,
     LagrangeConstraintsCompositionCoefficients, LagrangeKernelBoundaryConstraint,
     LagrangeKernelConstraints, LagrangeKernelEvaluationFrame, LagrangeKernelRandElements,
-    LagrangeKernelTransitionConstraints, TraceInfo, TransitionConstraintDegree,
-    TransitionConstraints,
+    LagrangeKernelTransitionConstraints, LogUpGkrEvaluator, LogUpGkrOracle, TraceInfo,
+    TransitionConstraintDegree, TransitionConstraints,
 };

sumcheck/Cargo.toml

@@ -0,0 +1,49 @@
+[package]
+name = "winter-sumcheck"
+version = "0.1.0"
+description = "Implementation of the sum-check protocol for the LogUp-GKR protocol"
+authors = ["winterfell contributors"]
+readme = "README.md"
+license = "MIT"
+repository = "https://github.com/novifinancial/winterfell"
+documentation = "https://docs.rs/winter-sumcheck/0.1.0"
+categories = ["cryptography", "no-std"]
+keywords = ["crypto", "sumcheck", "iop"]
+edition = "2021"
+rust-version = "1.78"
+
+[[bench]]
+name = "sum_check_plain"
+harness = false
+
+[[bench]]
+name = "sum_check_high_degree"
+harness = false
+
+[[bench]]
+name = "eq_function"
+harness = false
+required-features = ["concurrent"]
+
+[[bench]]
+name = "bind_variable"
+harness = false
+required-features = ["concurrent"]
+
+[features]
+concurrent = ["utils/concurrent", "dep:rayon", "std"]
+default = ["std"]
+std = ["utils/std"]
+
+[dependencies]
+air = { version = "0.9", path = "../air", package = "winter-air", default-features = false }
+crypto = { version = "0.9", path = "../crypto", package = "winter-crypto", default-features = false }
+math = { version = "0.9", path = "../math", package = "winter-math", default-features = false }
+utils = { version = "0.9", path = "../utils/core", package = "winter-utils", default-features = false }
+rayon = { version = "1.8", optional = true }
+smallvec = { version = "1.13", default-features = false }
+thiserror = { version = "1.0", git = "https://github.com/bitwalker/thiserror", branch = "no-std", default-features = false }
+
+[dev-dependencies]
+criterion = "0.5"
+rand-utils = { version = "0.9", path = "../utils/rand", package = "winter-rand-utils" }

sumcheck/README.md

@@ -0,0 +1,24 @@
+# Winter sum-check
+This crate contains an implementation of the sum-check protocol intended to be used for [LogUp-GKR](https://eprint.iacr.org/2023/1284) by the Winterfell STARK prover and verifier.
+
+The crate provides two implementations of the sum-check protocol:
+
+* An implementation for the sum-check protocol as used in [LogUp-GKR](https://eprint.iacr.org/2023/1284).
+* An implementation which generalizes the previous one to the case where the numerators and denominators appearing in the fractional sum-checks in Section 3 of [LogUp-GKR](https://eprint.iacr.org/2023/1284) can be non-linear compositions of multi-linear polynomials.
+
+The first implementation is intended to be used by the GKR protocol for proving the correct evaluation of all of the layers of the fractionl sum circuit except for the input layer. The second implementation is intended to be used for proving the correct evaluation of the input layer.
+
+
+## Crate features
+This crate can be compiled with the following features:
+
+* `std` - enabled by default and relies on the Rust standard library.
+* `concurrent` - implies `std` and also re-exports `rayon` crate and enables multi-threaded execution for some of the crate functions.
+* `no_std` - does not rely on Rust's standard library and enables compilation to WebAssembly.
+
+To compile with `no_std`, disable default features via `--no-default-features` flag.
+
+License
+-------
+
+This project is [MIT licensed](../LICENSE).

sumcheck/benches/bind_variable.rs

@@ -0,0 +1,90 @@
+// Copyright (c) Facebook, Inc. and its affiliates.
+//
+// This source code is licensed under the MIT license found in the
+// LICENSE file in the root directory of this source tree.
+
+use std::time::Duration;
+
+use criterion::{criterion_group, criterion_main, BatchSize, BenchmarkId, Criterion};
+use math::{fields::f64::BaseElement, FieldElement};
+use rand_utils::{rand_value, rand_vector};
+#[cfg(feature = "concurrent")]
+pub use rayon::prelude::*;
+
+const POLY_SIZE: [usize; 2] = [1 << 18, 1 << 20];
+
+fn bind_variable_serial(c: &mut Criterion) {
+    let mut group = c.benchmark_group("Bind variable evaluations");
+    group.sample_size(10);
+    group.measurement_time(Duration::from_secs(10));
+
+    for &poly_size in POLY_SIZE.iter() {
+        group.bench_function(BenchmarkId::new("serial", poly_size), |b| {
+            b.iter_batched(
+                || {
+                    let random_challenge: BaseElement = rand_value();
+                    let poly_evals: Vec<BaseElement> = rand_vector(poly_size);
+                    (random_challenge, poly_evals)
+                },
+                |(random_challenge, poly_evals)| {
+                    let mut poly_evals = poly_evals;
+                    bind_least_significant_variable_serial(&mut poly_evals, random_challenge)
+                },
+                BatchSize::SmallInput,
+            )
+        });
+    }
+}
+
+fn bind_variable_parallel(c: &mut Criterion) {
+    let mut group = c.benchmark_group("Bind variable function evaluations");
+    group.sample_size(10);
+    group.measurement_time(Duration::from_secs(10));
+
+    for &poly_size in POLY_SIZE.iter() {
+        group.bench_function(BenchmarkId::new("parallel", poly_size), |b| {
+            b.iter_batched(
+                || {
+                    let random_challenge: BaseElement = rand_value();
+                    let poly_evals: Vec<BaseElement> = rand_vector(poly_size);
+                    (random_challenge, poly_evals)
+                },
+                |(random_challenge, poly_evals)| {
+                    let mut poly_evals = poly_evals;
+                    bind_least_significant_variable_parallel(&mut poly_evals, random_challenge)
+                },
+                BatchSize::SmallInput,
+            )
+        });
+    }
+}
+
+fn bind_least_significant_variable_serial<E: FieldElement>(
+    evaluations: &mut Vec<E>,
+    round_challenge: E,
+) {
+    let num_evals = evaluations.len() >> 1;
+
+    for i in 0..num_evals {
+        evaluations[i] = evaluations[i << 1]
+            + round_challenge * (evaluations[(i << 1) + 1] - evaluations[i << 1]);
+    }
+    evaluations.truncate(num_evals);
+}
+
+fn bind_least_significant_variable_parallel<E: FieldElement>(
+    evaluations: &mut Vec<E>,
+    round_challenge: E,
+) {
+    let num_evals = evaluations.len() >> 1;
+
+    let mut result = unsafe { utils::uninit_vector(num_evals) };
+    result.par_iter_mut().enumerate().for_each(|(i, ev)| {
+        *ev = evaluations[i << 1]
+            + round_challenge * (evaluations[(i << 1) + 1] - evaluations[i << 1])
+    });
+    *evaluations = result
+}
+
+criterion_group!(group, bind_variable_serial, bind_variable_parallel);
+criterion_main!(group);

sumcheck/benches/eq_function.rs

@@ -0,0 +1,96 @@
+// Copyright (c) Facebook, Inc. and its affiliates.
+//
+// This source code is licensed under the MIT license found in the
+// LICENSE file in the root directory of this source tree.
+
+use std::time::Duration;
+
+use criterion::{criterion_group, criterion_main, BatchSize, BenchmarkId, Criterion};
+use math::{fields::f64::BaseElement, FieldElement};
+use rand_utils::rand_vector;
+#[cfg(feature = "concurrent")]
+pub use rayon::prelude::*;
+
+const LOG_POLY_SIZE: [usize; 2] = [18, 20];
+
+fn evaluate_eq_serial(c: &mut Criterion) {
+    let mut group = c.benchmark_group("EQ function evaluations");
+    group.sample_size(10);
+    group.measurement_time(Duration::from_secs(10));
+
+    for &log_poly_size in LOG_POLY_SIZE.iter() {
+        group.bench_function(BenchmarkId::new("serial", log_poly_size), |b| {
+            b.iter_batched(
+                || {
+                    let randomness: Vec<BaseElement> = rand_vector(log_poly_size);
+                    randomness
+                },
+                |rand| eq_evaluations(&rand),
+                BatchSize::SmallInput,
+            )
+        });
+    }
+}
+
+fn evaluate_eq_parallel(c: &mut Criterion) {
+    let mut group = c.benchmark_group("EQ function evaluations");
+    group.sample_size(10);
+    group.measurement_time(Duration::from_secs(10));
+
+    for &log_poly_size in LOG_POLY_SIZE.iter() {
+        group.bench_function(BenchmarkId::new("parallel", log_poly_size), |b| {
+            b.iter_batched(
+                || {
+                    let randomness: Vec<BaseElement> = rand_vector(log_poly_size);
+                    randomness
+                },
+                |rand| eq_evaluations_par(&rand),
+                BatchSize::SmallInput,
+            )
+        });
+    }
+}
+
+fn eq_evaluations<E: FieldElement>(query: &[E]) -> Vec<E> {
+    let n = 1 << query.len();
+    let mut evals = unsafe { utils::uninit_vector(n) };
+
+    let mut size = 1;
+    evals[0] = E::ONE;
+    for r_i in query.iter() {
+        let (left_evals, right_evals) = evals.split_at_mut(size);
+        left_evals.iter_mut().zip(right_evals.iter_mut()).for_each(|(left, right)| {
+            let factor = *left;
+            *right = factor * *r_i;
+            *left -= *right;
+        });
+
+        size *= 2;
+    }
+    evals
+}
+
+fn eq_evaluations_par<E: FieldElement>(query: &[E]) -> Vec<E> {
+    let n = 1 << query.len();
+    let mut evals = unsafe { utils::uninit_vector(n) };
+
+    let mut size = 1;
+    evals[0] = E::ONE;
+    for r_i in query.iter() {
+        let (left_evals, right_evals) = evals.split_at_mut(size);
+        left_evals
+            .par_iter_mut()
+            .zip(right_evals.par_iter_mut())
+            .for_each(|(left, right)| {
+                let factor = *left;
+                *right = factor * *r_i;
+                *left -= *right;
+            });
+
+        size <<= 1;
+    }
+    evals
+}
+
+criterion_group!(group, evaluate_eq_serial, evaluate_eq_parallel);
+criterion_main!(group);