Circuit compute_c reduce constraints (#97)

* migrate from CurveGroup to PrimeField in hypernova & ccs when curve whas not needed to simplify the code

* refactor test of compute_c circuit to use multiple lcccs&cccs instances

* refactor hypernova's compute_c circuit to reduce from `110635` to `553` constraints

* apply review nits

Author: arnaucube

folding-schemes/src/ccs/mod.rs

@@ -1,7 +1,5 @@
-use ark_ec::CurveGroup;
+use ark_ff::PrimeField;
 use ark_std::log2;
-use ark_std::{One, Zero};
-use std::ops::Neg;
 
 use crate::utils::vec::*;
 use crate::Error;
@@ -12,7 +10,7 @@ use r1cs::R1CS;
 /// CCS represents the Customizable Constraint Systems structure defined in
 /// the [CCS paper](https://eprint.iacr.org/2023/552)
 #[derive(Debug, Clone, Eq, PartialEq)]
-pub struct CCS<C: CurveGroup> {
+pub struct CCS<F: PrimeField> {
     /// m: number of rows in M_i (such that M_i \in F^{m, n})
     pub m: usize,
     /// n = |z|, number of cols in M_i
@@ -31,25 +29,24 @@ pub struct CCS<C: CurveGroup> {
     pub s_prime: usize,
 
     /// vector of matrices
-    pub M: Vec<SparseMatrix<C::ScalarField>>,
+    pub M: Vec<SparseMatrix<F>>,
     /// vector of multisets
     pub S: Vec<Vec<usize>>,
     /// vector of coefficients
-    pub c: Vec<C::ScalarField>,
+    pub c: Vec<F>,
 }
 
-impl<C: CurveGroup> CCS<C> {
+impl<F: PrimeField> CCS<F> {
     /// check that a CCS structure is satisfied by a z vector. Only for testing.
-    pub fn check_relation(&self, z: &[C::ScalarField]) -> Result<(), Error> {
-        let mut result = vec![C::ScalarField::zero(); self.m];
+    pub fn check_relation(&self, z: &[F]) -> Result<(), Error> {
+        let mut result = vec![F::zero(); self.m];
 
         for i in 0..self.q {
             // extract the needed M_j matrices out of S_i
-            let vec_M_j: Vec<&SparseMatrix<C::ScalarField>> =
-                self.S[i].iter().map(|j| &self.M[*j]).collect();
+            let vec_M_j: Vec<&SparseMatrix<F>> = self.S[i].iter().map(|j| &self.M[*j]).collect();
 
             // complete the hadamard chain
-            let mut hadamard_result = vec![C::ScalarField::one(); self.m];
+            let mut hadamard_result = vec![F::one(); self.m];
             for M_j in vec_M_j.into_iter() {
                 hadamard_result = hadamard(&hadamard_result, &mat_vec_mul_sparse(M_j, z)?)?;
             }
@@ -72,8 +69,8 @@ impl<C: CurveGroup> CCS<C> {
     }
 }
 
-impl<C: CurveGroup> CCS<C> {
-    pub fn from_r1cs(r1cs: R1CS<C::ScalarField>) -> Self {
+impl<F: PrimeField> CCS<F> {
+    pub fn from_r1cs(r1cs: R1CS<F>) -> Self {
         let m = r1cs.A.n_rows;
         let n = r1cs.A.n_cols;
         CCS {
@@ -87,13 +84,13 @@ impl<C: CurveGroup> CCS<C> {
             d: 2,
 
             S: vec![vec![0, 1], vec![2]],
-            c: vec![C::ScalarField::one(), C::ScalarField::one().neg()],
+            c: vec![F::one(), F::one().neg()],
             M: vec![r1cs.A, r1cs.B, r1cs.C],
         }
     }
 
-    pub fn to_r1cs(self) -> R1CS<C::ScalarField> {
-        R1CS::<C::ScalarField> {
+    pub fn to_r1cs(self) -> R1CS<F> {
+        R1CS::<F> {
             l: self.l,
             A: self.M[0].clone(),
             B: self.M[1].clone(),
@@ -107,11 +104,11 @@ pub mod tests {
     use super::*;
     use crate::ccs::r1cs::tests::{get_test_r1cs, get_test_z as r1cs_get_test_z};
     use ark_ff::PrimeField;
-    use ark_pallas::Projective;
+    use ark_pallas::Fr;
 
-    pub fn get_test_ccs<C: CurveGroup>() -> CCS<C> {
-        let r1cs = get_test_r1cs::<C::ScalarField>();
-        CCS::<C>::from_r1cs(r1cs)
+    pub fn get_test_ccs<F: PrimeField>() -> CCS<F> {
+        let r1cs = get_test_r1cs::<F>();
+        CCS::<F>::from_r1cs(r1cs)
     }
     pub fn get_test_z<F: PrimeField>(input: usize) -> Vec<F> {
         r1cs_get_test_z(input)
@@ -120,7 +117,7 @@ pub mod tests {
     /// Test that a basic CCS relation can be satisfied
     #[test]
     fn test_ccs_relation() {
-        let ccs = get_test_ccs::<Projective>();
+        let ccs = get_test_ccs::<Fr>();
         let z = get_test_z(3);
 
         ccs.check_relation(&z).unwrap();

folding-schemes/src/folding/circuits/nonnative/affine.rs

@@ -1,4 +1,5 @@
 use ark_ec::{AffineRepr, CurveGroup};
+use ark_ff::PrimeField;
 use ark_r1cs_std::{
     alloc::{AllocVar, AllocationMode},
     fields::fp::FpVar,
@@ -16,7 +17,7 @@ use super::uint::{nonnative_field_to_field_elements, NonNativeUintVar};
 #[derive(Debug, Clone)]
 pub struct NonNativeAffineVar<C: CurveGroup>
 where
-    <C as ark_ec::CurveGroup>::BaseField: ark_ff::PrimeField,
+    <C as CurveGroup>::BaseField: PrimeField,
 {
     pub x: NonNativeUintVar<C::ScalarField>,
     pub y: NonNativeUintVar<C::ScalarField>,
@@ -25,7 +26,7 @@ where
 impl<C> AllocVar<C, C::ScalarField> for NonNativeAffineVar<C>
 where
     C: CurveGroup,
-    <C as ark_ec::CurveGroup>::BaseField: ark_ff::PrimeField,
+    <C as CurveGroup>::BaseField: PrimeField,
 {
     fn new_variable<T: Borrow<C>>(
         cs: impl Into<Namespace<C::ScalarField>>,
@@ -49,7 +50,7 @@ where
 
 impl<C: CurveGroup> ToConstraintFieldGadget<C::ScalarField> for NonNativeAffineVar<C>
 where
-    <C as ark_ec::CurveGroup>::BaseField: ark_ff::PrimeField,
+    <C as CurveGroup>::BaseField: PrimeField,
 {
     // Used for converting `NonNativeAffineVar` to a vector of `FpVar` with minimum length in
     // the circuit.
@@ -66,7 +67,7 @@ pub fn nonnative_affine_to_field_elements<C: CurveGroup>(
     p: C,
 ) -> Result<(Vec<C::ScalarField>, Vec<C::ScalarField>), SynthesisError>
 where
-    <C as ark_ec::CurveGroup>::BaseField: ark_ff::PrimeField,
+    <C as CurveGroup>::BaseField: PrimeField,
 {
     let affine = p.into_affine();
     if affine.is_zero() {
@@ -83,7 +84,7 @@ where
 
 impl<C: CurveGroup> NonNativeAffineVar<C>
 where
-    <C as ark_ec::CurveGroup>::BaseField: ark_ff::PrimeField,
+    <C as CurveGroup>::BaseField: PrimeField,
 {
     // A wrapper of `point_to_nonnative_limbs_custom_opt` with constraints-focused optimization
     // type (which is the default optimization type for arkworks' Groth16).

folding-schemes/src/folding/circuits/sum_check.rs

@@ -1,10 +1,7 @@
 use crate::utils::espresso::sum_check::SumCheck;
 use crate::utils::virtual_polynomial::VPAuxInfo;
 use crate::{
-    transcript::{
-        poseidon::{PoseidonTranscript, PoseidonTranscriptVar},
-        TranscriptVar,
-    },
+    transcript::{poseidon::PoseidonTranscript, TranscriptVar},
     utils::sum_check::{structs::IOPProof, IOPSumCheck},
 };
 use ark_crypto_primitives::sponge::Absorb;
@@ -150,7 +147,7 @@ impl<C: CurveGroup> SumCheckVerifierGadget<C> {
     pub fn verify(
         iop_proof_var: &IOPProofVar<C>,
         poly_aux_info_var: &VPAuxInfoVar<C::ScalarField>,
-        transcript_var: &mut PoseidonTranscriptVar<C::ScalarField>,
+        transcript_var: &mut impl TranscriptVar<C::ScalarField>,
     ) -> Result<(Vec<FpVar<C::ScalarField>>, Vec<FpVar<C::ScalarField>>), SynthesisError> {
         let mut e_vars = vec![iop_proof_var.claim.clone()];
         let mut r_vars: Vec<FpVar<C::ScalarField>> = Vec::new();

folding-schemes/src/folding/circuits/utils.rs

@@ -12,7 +12,7 @@ pub struct EqEvalGadget<F: PrimeField> {
 impl<F: PrimeField> EqEvalGadget<F> {
     /// Gadget to evaluate eq polynomial.
     /// Follows the implementation of `eq_eval` found in this crate.
-    pub fn eq_eval(x: Vec<FpVar<F>>, y: Vec<FpVar<F>>) -> Result<FpVar<F>, SynthesisError> {
+    pub fn eq_eval(x: &[FpVar<F>], y: &[FpVar<F>]) -> Result<FpVar<F>, SynthesisError> {
         if x.len() != y.len() {
             return Err(SynthesisError::Unsatisfiable);
         }
@@ -30,16 +30,15 @@ impl<F: PrimeField> EqEvalGadget<F> {
 
 #[cfg(test)]
 mod tests {
-
-    use crate::utils::virtual_polynomial::eq_eval;
-
-    use super::EqEvalGadget;
     use ark_ff::Field;
     use ark_pallas::Fr;
     use ark_r1cs_std::{alloc::AllocVar, fields::fp::FpVar, R1CSVar};
     use ark_relations::r1cs::ConstraintSystem;
     use ark_std::{test_rng, UniformRand};
 
+    use super::EqEvalGadget;
+    use crate::utils::virtual_polynomial::eq_eval;
+
     #[test]
     pub fn test_eq_eval_gadget() {
         let mut rng = test_rng();
@@ -57,19 +56,19 @@ mod tests {
                 .map(|y| FpVar::<Fr>::new_witness(cs.clone(), || Ok(y)).unwrap())
                 .collect();
             let expected_eq_eval = eq_eval::<Fr>(&x_vec, &y_vec).unwrap();
-            let gadget_eq_eval: FpVar<Fr> = EqEvalGadget::<Fr>::eq_eval(x, y).unwrap();
+            let gadget_eq_eval: FpVar<Fr> = EqEvalGadget::<Fr>::eq_eval(&x, &y).unwrap();
             assert_eq!(expected_eq_eval, gadget_eq_eval.value().unwrap());
         }
 
         let x: Vec<FpVar<Fr>> = vec![];
         let y: Vec<FpVar<Fr>> = vec![];
-        let gadget_eq_eval = EqEvalGadget::<Fr>::eq_eval(x, y);
+        let gadget_eq_eval = EqEvalGadget::<Fr>::eq_eval(&x, &y);
         assert!(gadget_eq_eval.is_err());
 
         let x: Vec<FpVar<Fr>> = vec![];
         let y: Vec<FpVar<Fr>> =
             vec![FpVar::<Fr>::new_witness(cs.clone(), || Ok(&Fr::ONE)).unwrap()];
-        let gadget_eq_eval = EqEvalGadget::<Fr>::eq_eval(x, y);
+        let gadget_eq_eval = EqEvalGadget::<Fr>::eq_eval(&x, &y);
         assert!(gadget_eq_eval.is_err());
     }
 }

folding-schemes/src/folding/hypernova/cccs.rs

@@ -5,7 +5,7 @@ use ark_std::Zero;
 use std::ops::Add;
 use std::sync::Arc;
 
-use ark_std::{rand::Rng, UniformRand};
+use ark_std::rand::Rng;
 
 use super::utils::compute_sum_Mz;
 use crate::ccs::CCS;
@@ -35,13 +35,17 @@ pub struct CCCS<C: CurveGroup> {
     pub x: Vec<C::ScalarField>,
 }
 
-impl<C: CurveGroup> CCS<C> {
-    pub fn to_cccs<R: Rng>(
+impl<F: PrimeField> CCS<F> {
+    pub fn to_cccs<R: Rng, C: CurveGroup>(
         &self,
         rng: &mut R,
         pedersen_params: &PedersenParams<C>,
         z: &[C::ScalarField],
-    ) -> Result<(CCCS<C>, Witness<C::ScalarField>), Error> {
+    ) -> Result<(CCCS<C>, Witness<C::ScalarField>), Error>
+    where
+        // enforce that CCS's F is the C::ScalarField
+        C: CurveGroup<ScalarField = F>,
+    {
         let w: Vec<C::ScalarField> = z[(1 + self.l)..].to_vec();
         let r_w = C::ScalarField::rand(rng);
         let C = Pedersen::<C, true>::commit(pedersen_params, &w, &r_w)?;
@@ -57,13 +61,12 @@ impl<C: CurveGroup> CCS<C> {
 
     /// Computes q(x) = \sum^q c_i * \prod_{j \in S_i} ( \sum_{y \in {0,1}^s'} M_j(x, y) * z(y) )
     /// polynomial over x
-    pub fn compute_q(&self, z: &Vec<C::ScalarField>) -> VirtualPolynomial<C::ScalarField> {
+    pub fn compute_q(&self, z: &Vec<F>) -> VirtualPolynomial<F> {
         let z_mle = vec_to_mle(self.s_prime, z);
-        let mut q = VirtualPolynomial::<C::ScalarField>::new(self.s);
+        let mut q = VirtualPolynomial::<F>::new(self.s);
 
         for i in 0..self.q {
-            let mut prod: VirtualPolynomial<C::ScalarField> =
-                VirtualPolynomial::<C::ScalarField>::new(self.s);
+            let mut prod: VirtualPolynomial<F> = VirtualPolynomial::<F>::new(self.s);
             for j in self.S[i].clone() {
                 let M_j = matrix_to_mle(self.M[j].clone());
 
@@ -74,11 +77,9 @@ impl<C: CurveGroup> CCS<C> {
                     // If this is the first time we are adding something to this virtual polynomial, we need to
                     // explicitly add the products using add_mle_list()
                     // XXX is this true? improve API
-                    prod.add_mle_list([Arc::new(sum_Mz)], C::ScalarField::one())
-                        .unwrap();
+                    prod.add_mle_list([Arc::new(sum_Mz)], F::one()).unwrap();
                 } else {
-                    prod.mul_by_mle(Arc::new(sum_Mz), C::ScalarField::one())
-                        .unwrap();
+                    prod.mul_by_mle(Arc::new(sum_Mz), F::one()).unwrap();
                 }
             }
             // Multiply by the product by the coefficient c_i
@@ -92,11 +93,7 @@ impl<C: CurveGroup> CCS<C> {
     /// Computes Q(x) = eq(beta, x) * q(x)
     ///               = eq(beta, x) * \sum^q c_i * \prod_{j \in S_i} ( \sum_{y \in {0,1}^s'} M_j(x, y) * z(y) )
     /// polynomial over x
-    pub fn compute_Q(
-        &self,
-        z: &Vec<C::ScalarField>,
-        beta: &[C::ScalarField],
-    ) -> VirtualPolynomial<C::ScalarField> {
+    pub fn compute_Q(&self, z: &Vec<F>, beta: &[F]) -> VirtualPolynomial<F> {
         let q = self.compute_q(z);
         q.build_f_hat(beta).unwrap()
     }
@@ -107,7 +104,7 @@ impl<C: CurveGroup> CCCS<C> {
     pub fn check_relation(
         &self,
         pedersen_params: &PedersenParams<C>,
-        ccs: &CCS<C>,
+        ccs: &CCS<C::ScalarField>,
         w: &Witness<C::ScalarField>,
     ) -> Result<(), Error> {
         // check that C is the commitment of w. Notice that this is not verifying a Pedersen
@@ -139,15 +136,15 @@ pub mod tests {
     use ark_std::test_rng;
     use ark_std::UniformRand;
 
-    use ark_pallas::{Fr, Projective};
+    use ark_pallas::Fr;
 
     /// Do some sanity checks on q(x). It's a multivariable polynomial and it should evaluate to zero inside the
     /// hypercube, but to not-zero outside the hypercube.
     #[test]
     fn test_compute_q() {
         let mut rng = test_rng();
 
-        let ccs = get_test_ccs::<Projective>();
+        let ccs = get_test_ccs::<Fr>();
         let z = get_test_z(3);
 
         let q = ccs.compute_q(&z);
@@ -167,7 +164,7 @@ pub mod tests {
     fn test_compute_Q() {
         let mut rng = test_rng();
 
-        let ccs: CCS<Projective> = get_test_ccs();
+        let ccs: CCS<Fr> = get_test_ccs();
         let z = get_test_z(3);
         ccs.check_relation(&z).unwrap();
 
@@ -201,7 +198,7 @@ pub mod tests {
     fn test_Q_against_q() {
         let mut rng = test_rng();
 
-        let ccs: CCS<Projective> = get_test_ccs();
+        let ccs: CCS<Fr> = get_test_ccs();
         let z = get_test_z(3);
         ccs.check_relation(&z).unwrap();