Use BLS12381 curve (#5)

* Use BLS12381 curve

* Address imports PR feedback

* Add benchmarks

* Update Galois fields, elliptic curves, and pairings

Author: Acentelles

ChangeLog.md

@@ -1,5 +1,11 @@
 # Changelog for sonic
 
+## 0.3
+
+* Use BLS12-381 elliptic curve
+* Add `RndOracle` data type as part of the proving step
+* Add benchmarks
+
 ## 0.2
 
 * Fix leak: Prover should not receive `x` and `g^{\alpha}` should not be shared.

README.md

@@ -20,7 +20,7 @@ the two-variate polynomial equation used in
 
 The Sonic protocol can be outlined in three steps: Setup, Prover and
 Verifier. Due to the universality property of the SRS, the setup phase needs
-only to be run once.
+only to be run once. This implementation uses BLS12-381 elliptic curve.
 
 ```haskell
 sonicProtocol :: ArithCircuit Fr -> Assignment Fr -> Fr -> IO Bool

bench/Main.hs

@@ -0,0 +1,50 @@
+module Main where
+
+import Protolude
+import Bulletproofs.ArithmeticCircuit (Assignment(..), ArithCircuit)
+import Criterion.Main
+import Data.Pairing.BLS12381 (Fr)
+
+import qualified Sonic.SRS as SRS
+import Sonic.Protocol
+import Test.Reference
+
+exampleX :: Fr
+exampleX = 11
+
+exampleZ :: Fr
+exampleZ = 12
+
+exampleD :: Int -> Int
+exampleD n = 25 * n
+
+exampleRndParams :: RandomParams
+exampleRndParams = RandomParams
+  { pX = 1
+  , pY = 2
+  , pZ = 3
+  , pAlpha = 4
+  }
+
+runProver :: IO (Proof Fr, RndOracle Fr)
+runProver = do
+  let (arithCircuit, assignment) = arithCircuitExample1 exampleX exampleZ
+      srs = SRS.new (exampleD (length $ aL assignment)) (pX exampleRndParams) (pAlpha exampleRndParams)
+  prove srs assignment arithCircuit
+
+main :: IO ()
+main = defaultMain
+  [ sonic $ arithCircuitExample1 exampleX exampleZ
+  , sonic $ arithCircuitExample2 exampleX exampleZ
+  ]
+
+sonic :: (ArithCircuit Fr, Assignment Fr) -> Benchmark
+sonic (arithCircuit, assignment) = bgroup "Sonic"
+  [ bench "Prover" $
+    let srs = SRS.new (exampleD (length $ aL assignment)) (pX exampleRndParams) (pAlpha exampleRndParams)
+    in nfIO (prove srs assignment arithCircuit)
+  , env runProver $ \(~(proof, rndOracle@RndOracle{..})) ->
+      bench "Verifier" $
+      let srs = SRS.new (exampleD (length $ aL assignment)) (pX exampleRndParams) (pAlpha exampleRndParams)
+      in nf (verify srs arithCircuit proof rndOracleY rndOracleZ) rndOracleYs
+  ]

examples/Main.hs

@@ -4,20 +4,20 @@ module Main where
 import Protolude
 import Control.Monad.Random (getRandomR)
 import Bulletproofs.ArithmeticCircuit
-import GaloisField(GaloisField(rnd))
+import Data.Pairing.BLS12381 (Fr)
+import Data.Field.Galois (rnd)
 
 import Sonic.SRS as SRS
 import Sonic.Protocol
-import Sonic.Curve (Fr)
 
 sonicProtocol :: ArithCircuit Fr -> Assignment Fr -> Fr -> IO Bool
 sonicProtocol circuit assignment x = do
   -- Setup for an SRS
   srs <- SRS.new <$> randomD n <*> pure x <*> rnd
   -- Prover
-  (proof, y, z, ys) <- prove srs assignment circuit
+  (proof, rndOracle@RndOracle{..}) <- prove srs assignment circuit
   -- Verifier
-  pure $ verify srs circuit proof y z ys
+  pure $ verify srs circuit proof rndOracleY rndOracleZ rndOracleYs
   where
     -- n: Number of multiplication constraints
     n = length $ aL assignment

package.yaml

@@ -53,7 +53,6 @@ library:
   - Sonic.SRS
   - Sonic.Signature
   - Sonic.Utils
-  - Sonic.Curve
 
 executables:
   sonic-example:
@@ -73,12 +72,28 @@ executables:
     - QuickCheck
 tests:
   sonic-test:
-    main: Main.hs
+    main: Test.Main.hs
     source-dirs: test
     dependencies:
       - sonic
+      - QuickCheck
       - tasty
       - tasty-discover
       - tasty-hunit
       - tasty-quickcheck
+
+benchmarks:
+  sonic-benchmarks:
+    source-dirs:
+      - bench
+      - test
+    main: Main.hs
+    dependencies:
+      - sonic
+      - criterion
       - QuickCheck
+      - tasty
+      - tasty-quickcheck
+      - tasty-hunit
+    other-modules:
+      - Test.Reference

src/Sonic/CommitmentScheme.hs

@@ -9,17 +9,15 @@ module Sonic.CommitmentScheme
 
 import Protolude
 import Data.List ((!!))
-import Pairing.Pairing (reducedPairing)
+import Data.Curve (Curve(..), mul)
+import Data.Pairing.BLS12381 (Fr, G1, GT, BLS12381, pairing)
 import Math.Polynomial.Laurent
   (Laurent, newLaurent, quotLaurent, evalLaurent, expLaurent, coeffsLaurent)
-import Curve (Curve(..), Group(..))
-
 import Sonic.SRS (SRS(..))
-import Sonic.Curve (Fr, G1, GT)
 
-type Opening f = (f, G1)
+type Opening f = (f, G1 BLS12381)
 
-commitPoly :: SRS -> Int -> Laurent Fr -> G1
+commitPoly :: SRS -> Int -> Laurent Fr -> G1 BLS12381
 commitPoly SRS{..} maxm fX
   = foldl' (<>) mempty (negPowers ++ posPowers)
   where
@@ -35,7 +33,7 @@ commitPoly SRS{..} maxm fX
     negPowers = zipWith mul gNegativeAlphaX (reverse negCoeffs)
     posPowers = zipWith mul gPositiveAlphaX posCoeffs
 
-openPoly :: SRS -> G1 -> Fr -> Laurent Fr -> Opening Fr
+openPoly :: SRS -> G1 BLS12381 -> Fr -> Laurent Fr -> Opening Fr
 openPoly SRS{..} _commitment z fX
   = let fz = evalLaurent fX z
         wPoly = (fX - newLaurent 0 [fz]) `quotLaurent` newLaurent 0 [-z, 1]
@@ -53,7 +51,7 @@ openPoly SRS{..} _commitment z fX
 pcV
   :: SRS
   -> Int
-  -> G1
+  -> G1 BLS12381
   -> Fr
   -> Opening Fr
   -> Bool
@@ -64,7 +62,7 @@ pcV SRS{..} maxm commitment z (v, w)
     hxi = if difference >= 0
           then hPositiveX !! difference
           else hNegativeX !! (abs difference - 1)
-    eA, eB, eC :: GT
-    eA = reducedPairing w (hPositiveAlphaX !! 1) -- when i = 1
-    eB = reducedPairing ((gen `mul` v) <> (w `mul` negate z)) (hPositiveAlphaX !! 0) -- when i = 0
-    eC = reducedPairing commitment hxi
+    eA, eB, eC :: GT BLS12381
+    eA = pairing w (hPositiveAlphaX !! 1) -- when i = 1
+    eB = pairing ((gen `mul` v) <> (w `mul` negate z)) (hPositiveAlphaX !! 0) -- when i = 0
+    eC = pairing commitment hxi

src/Sonic/Constraints.hs

@@ -10,11 +10,10 @@ module Sonic.Constraints
 
 import Protolude hiding (head)
 import Data.List (zipWith4, head, (!!))
+import Data.Pairing.BLS12381 (Fr)
 import Bulletproofs.ArithmeticCircuit (Assignment(..), GateWeights(..))
 import Math.Polynomial.Laurent
   (Laurent(..), newLaurent, zeroLaurent, expLaurent)
-
-import Sonic.Curve (Fr)
 import Sonic.Utils (BiVariateLaurent, convertToTwoVariateX, convertToTwoVariateY, evalOnY)
 
 rPoly

src/Sonic/Curve.hs

@@ -1,44 +1,54 @@
 -- The interactive Sonic protocol to check that the prover knows a valid assignment of the wires in the circuit
 
 {-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DeriveAnyClass #-}
 module Sonic.Protocol
   ( Proof
+  , RndOracle(..)
   , prove
   , verify
   ) where
 
 import Protolude hiding (head)
 import Data.List (head)
+import Data.Pairing.BLS12381 (Fr, G1, BLS12381)
 import Control.Monad.Random (MonadRandom)
 import Bulletproofs.ArithmeticCircuit (ArithCircuit(..), Assignment(..), GateWeights(..))
 import Math.Polynomial.Laurent (newLaurent, evalLaurent)
-import GaloisField (GaloisField(rnd))
+import Data.Field.Galois (rnd)
 
 import Sonic.SRS (SRS(..))
 import Sonic.Constraints (rPoly, sPoly, tPoly, kPoly)
 import Sonic.CommitmentScheme (commitPoly, openPoly, pcV)
 import Sonic.Signature (HscProof(..), hscP, hscV)
 import Sonic.Utils (evalOnY)
-import Sonic.Curve (Fr, G1)
 
 data Proof f = Proof
-  { prR :: G1
-  , prT :: G1
+  { prR :: G1 BLS12381
+  , prT :: G1 BLS12381
   , prA :: f
-  , prWa :: G1
+  , prWa :: G1 BLS12381
   , prB :: f
-  , prWb :: G1
-  , prWt :: G1
+  , prWb :: G1 BLS12381
+  , prWt :: G1 BLS12381
   , prS :: f
   , prHscProof :: HscProof f
-  }
+  } deriving (Eq, Show, Generic, NFData)
+
+-- | Values created non-interactively in the random oracle model during proof generation
+data RndOracle f = RndOracle
+  { rndOracleY :: f
+  , rndOracleZ :: f
+  , rndOracleYs :: [f]
+  } deriving (Eq, Show, Generic, NFData)
 
 prove
   :: MonadRandom m
   => SRS
   -> Assignment Fr
   -> ArithCircuit Fr
-  -> m (Proof Fr, Fr, Fr, [Fr])
+  -> m (Proof Fr, RndOracle Fr)
 prove srs@SRS{..} assignment@Assignment{..} arithCircuit@ArithCircuit{..} =
   if srsD < 7*n
     then panic $ "Parameter d is not large enough: " <> show srsD <> " should be greater than " <>  show (7*n)
@@ -80,9 +90,11 @@ prove srs@SRS{..} assignment@Assignment{..} arithCircuit@ArithCircuit{..} =
            , prS = s
            , prHscProof = hscProof
            }
-         , y
-         , z
-         , ys
+         , RndOracle
+           { rndOracleY = y
+           , rndOracleZ = z
+           , rndOracleYs = ys
+           }
          )
   where
     n :: Int

src/Sonic/Protocol.hs

@@ -3,22 +3,20 @@
 module Sonic.SRS where
 
 import Protolude
-import Pairing.Pairing (reducedPairing)
-import Curve (Curve(..), Group(..))
-
-import Sonic.Curve (Fr, G1, G2, GT)
+import Data.Curve (Curve(..), mul)
+import Data.Pairing.BLS12381 (Fr, G1, G2, GT, BLS12381, pairing)
 
 data SRS = SRS
   { srsD :: Int
-  , gNegativeX :: [G1]
-  , gPositiveX :: [G1]
-  , hNegativeX :: [G2]
-  , hPositiveX :: [G2]
-  , gNegativeAlphaX :: [G1]
-  , gPositiveAlphaX :: [G1]
-  , hNegativeAlphaX :: [G2]
-  , hPositiveAlphaX :: [G2]
-  , srsPairing :: GT
+  , gNegativeX :: [G1 BLS12381]
+  , gPositiveX :: [G1 BLS12381]
+  , hNegativeX :: [G2 BLS12381]
+  , hPositiveX :: [G2 BLS12381]
+  , gNegativeAlphaX :: [G1 BLS12381]
+  , gPositiveAlphaX :: [G1 BLS12381]
+  , hNegativeAlphaX :: [G2 BLS12381]
+  , hPositiveAlphaX :: [G2 BLS12381]
+  , srsPairing :: GT BLS12381
   }
 
 -- | Create a new Structured Reference String (SRS)
@@ -38,5 +36,5 @@ new d x alpha
         , gPositiveAlphaX = mul gen 0 : (mul gen . ((*) alpha . (^) x) <$> [1..d])
         , hNegativeAlphaX = mul gen . ((*) alpha . (^) xInv) <$> [1..d]
         , hPositiveAlphaX = mul gen . ((*) alpha . (^) x) <$> [0..d]
-        , srsPairing = reducedPairing gen (mul gen alpha)
+        , srsPairing = pairing gen (mul gen alpha)
         }