GIPA, TIPP, MIPP, and example of Groth16 proof aggregation

[nirvantyagi]

This pull request provides the following additions:

• inner_products: Generic trait for inner products including implementations for pairing, multiexponentiation, and scalar inner products
• dh_commitments: Generic trait for doubly-homomorphic commitments including implementations for Pedersen and AFGHO16
• ip_proofs/gipa: Generic implementation of generalized inner product argument with respect to a set of doubly-homomorphic commitments and an inner product.
• ip_proofs/tipa: Generic implementation of trusted inner product argument for DH commitments that have commitment keys compatible with the TIPP KZG polynomial commitment trick, e.g. Pedersen and AFGHO16.
• ip_proofs/tipa/structured_scalar_message: Extends TIPP with alternate proving and verification algorithms when one of the messages in the inner product is a structured scalar of the form (1, r, r^2, ...). (trusted MIPP is captured by this)
• ip_proofs/examples/groth16_aggregation: Example using TIPP and MIPP for Groth16 proof aggregation.

I moved the previous code for SIPP into sipp. It might be nice to generalize the "plaintext" message option that is used in SIPP and structured_scalar_message in a future refactor. Currently they fall outside the abstraction of GIPA and DH commitments.

I tried my best to keep things modular and reuse code as much as possible. In some cases, this led to some repeated computation, so there is plenty of room for optimization. I have also not yet implemented any support for parallel computation.

[Pratyush]

Hi Nirvan, Sorry for the delay on this, I'll try to leave a detailed review today!

[nirvantyagi]

No worries. I have some updated benchmarks for the Groth16 proof aggregation (I realized I wasn't building the optimized binary), so now the numbers are more or less what we would expect from counting the group operations.

# of proofs	generation (ms)	aggregation (ms)	verification (ms)
16	130	690	138
64	572	2890	187
256	2095	11650	232
1024	9238	48976	280

[Pratyush]

Suggested change

	let mut out = Vec::new();
	out.extend_from_slice(m);
	Ok(IdentityOutput(out))
	Ok(IdentityOutput(m.to_vec()))

[nirvantyagi]

👍

[Pratyush]

You can change from G: Group to C: ProjectiveCurve if that helps you here (for efficiency or otherwise)

[nirvantyagi]

👍

I changed it to ProjectiveGroup in order to use the improved VariableMSM calculation of MultiexponentiationInnerProduct.

[Pratyush]

This does n final exponentations, you probably want to use something like this: https://github.com/scipr-lab/ripp/blob/e18c63cdda5710c9c65a7ec43532ac8281af3f35/src/lib.rs#L150

[nirvantyagi]

👍

Done. I used:

https://github.com/scipr-lab/zexe/blob/master/algebra-core/src/curves/mod.rs#L73

I think adding in parallelization support can be done in a future pass?

[Pratyush]

For larger inputs (len > 100), you might want to use something like https://github.com/scipr-lab/zexe/blob/38b6f6f2c6b9a6a1b5e8eb90b1287c98b06520d1/algebra-core/src/msm/variable_base.rs#L100

It should speed up this inner product massively.

[nirvantyagi]

👍

Had to change the generic parameter away from Group to a curve in order to use VariableMSM::multi_scalar_mul.

[Pratyush]

It might be easier to wrap up things into an GIPAConfig trait, maybe something like the following:

pub trait GIPAConfig {
	type Scalar: ...;

	type LMCKey: ...;
	type RMCKey: ...;
	type IPCKey: ...;

	type LMCMsg: ...;
	type RMCMsg: ...;
	type IPCMsg: ...;

	type LMCOutput: ...;
	type RMCOutput: ...;
	type IPCOutput: ...;

	type IP: InnerProduct<LeftMessage = Self::LMCMsg, RightMessage = Self::RMCMsg, Output = Self::IPCMsg>;

	type LMC: ...;
	type RMC: ...;
	type IPC: ...;
}

[nirvantyagi]

Agreed with your other comment that having a GIPAConfig that implements Clone would allow other structs that parameterize with GIPAConfig to simply derive Clone, which would be easier.

Initializing a GIPAConfig would be slightly more annoying due to the 9 extra types (Key, Msg, Output) that need to be specified.

I'm going to keep as is for now, just because of inertia to refactor, but if you have a strong preference, I'm happy to make the change.

---

Separately: In zexe, is there a reason Group doesn't implement Mul<Self> or even better Mul<&Self>? Currently am using MulAssign as a workaround.

[Pratyush]

Do you mean Mul<Scalar>? It's because we didn't like the idea of right multiplication by the scalar =P

[Pratyush]

should we parallelize these? Or do you think it would be unnecessary (verification is already fast enough)?

[nirvantyagi]

Yes, verification will be a significant cost. I think instead of parallelizing the calls to each of these three verifies, we will get what we want when we implement parallelism for the inner products in inner_products, e.g. pedersen uses MultiexponentiationInnerProduct and afgho16 uses PairingInnerProduct.

[Pratyush]

maybe this is can be replaced with a

if !m_a.len().is_power_of_two() {
	return Err(...);
}
if m_a.len() == 1 { 
	something 
} else { 
	something else 
}

[nirvantyagi]

👍

Fixed when unrolling recursion.

[Pratyush]

Is there a way to do this in place/using iteration? Currently the memory required increases with the depth of recursion

[nirvantyagi]

👍

Yes, I've made this change now for all of the recursive implementations in gipa.

[Pratyush]

Is there a way to reduce this to a single MSM, like what Bulletproofs does? Instead of essentially repeating the prover? This should provide great speed-ups for the verifier.

[nirvantyagi]

Yes, we can do something like that (looking at Section 3.1 of BBBPWM18).

I see that BBBPWM18 describes the same bit representation trick that I had emailed you all about in the TIPP context to calculate these scalars in linear time (Section 6.2 "Computing scalars").

I changed the verification to perform the multiexponentiation all at once at the end. However, it does not currently get the gains of using VariableMSM::multi_scalar_mul since we do not bind the commitment keys (LMC::Key, RMC::Key) to AffineCurve -- a downside of the generalization. Perhaps, we can add two inner products to the generic parameterization to do this? Not a super clean solution... Thoughts?

[Pratyush]

One way around this would be to add a "multi-scalar-mul" trait, and invoke that? That trait would have different implementations for fields vs for curves. (Maybe that belongs in zexe, and not here?)

[Pratyush]

We can leave that to a future PR; I filed an issue for it.

[Pratyush]

If moving to the GIPAConfig idea, you can just derive this.

[nirvantyagi]

See other response.

[Pratyush]

Would it make the code more modular/abstracted if you used https://github.com/scipr-lab/poly-commit/tree/master/src/kzg10 ?

(I don't know the answer, because some computations might be different)

[nirvantyagi]

There are some extra computations we need. For example, we need to support shifting by a scalar r. That can still be made to work on top of a KZG commitment abstraction. However, the problem is that the library is fixed to commit to G1, whereas we need KZG commitments on both G1 and G2.

[Pratyush]

If not using the existing KZG10 impl, then you should use https://github.com/scipr-lab/zexe/blob/38b6f6f2c6b9a6a1b5e8eb90b1287c98b06520d1/algebra-core/src/msm/fixed_base.rs

[nirvantyagi]

👍 Changed parameterization to ProjectiveCurve

[Pratyush]

Maybe you can extract out the common code into a method on TIPA, and then use that method in both TIPA and here.

[nirvantyagi]

Yeah, I think something like that could work. The problem with using TIPA black-box as I am right now is that it attempts to calculate the structured KZG polynomial commitment proof for both left and right. We would want to extract the polynomial commitment proving and verification code from the main prove and verify methods, so that they can be called separately for left and right.

Then to do TIPA for left and a structured scalar message for right, we can first run GIPA using a PlaceholderCommitment that has null commitment keys and null commitments. Then run the TIPA polynomial commitment code on just left.

I haven't made this change yet, but commenting here to make note of this as a possible plan forward.

[nirvantyagi]

Thanks for the comments! Sorry I wasn't able to get to it this week. I'll respond soon!