Prevent Serde from adding redundant bounds on F (#83)

* Prevent Serde from adding redundant bounds on `F`

Since `Field` is already a subtrait of `Serialize` and `DeserializeOwned`, we don't need serde to add its own bounds like `where F: Serialize`. The redundant bounds would normally be harmless, but they cause an error due to a compiler bug: rust-lang/rust#41617

* Added FFT+MSM precomputations to the VK serialization + Move to serde_cbor.

* Remove unused import.

* Use struct destructuring

Co-authored-by: wborgeaud <[email protected]>

Author: dlubarov

Cargo.toml

@@ -25,9 +25,9 @@ blake3 = "0.3.3"
 anyhow = "1.0.31"
 once_cell = "1.4.0"
 serde = { version = "1.0", features = ["derive"] }
-bincode = "1.3.1"
 log = "0.4"
 pretty_env_logger = "0.4"
+serde_cbor = "0.11.1"
 
 [dev-dependencies]
 criterion = "0.3.3"

src/fft.rs

@@ -2,6 +2,7 @@ use rayon::prelude::*;
 
 use crate::util::{log2_ceil, log2_strict};
 use crate::Field;
+use serde::{Serialize, Deserialize};
 
 /// Permutes `arr` such that each index is mapped to its reverse in binary.
 fn reverse_index_bits<T: Copy>(arr: Vec<T>) -> Vec<T> {
@@ -24,7 +25,8 @@ fn reverse_bits(n: usize, num_bits: usize) -> usize {
     result
 }
 
-#[derive(Debug, Clone, Eq, PartialEq)]
+#[derive(Debug, Clone, Eq, PartialEq, Serialize, Deserialize)]
+#[serde(bound = "")]
 pub struct FftPrecomputation<F: Field> {
     /// For each layer index i, stores the cyclic subgroup corresponding to the evaluation domain of
     /// layer i. The indices within these subgroup vectors are bit-reversed.

src/plonk.rs

@@ -283,7 +283,7 @@ impl<C: HaloCurve> Circuit<C> {
         );
 
         // Get a list of all opened values, to append to the transcript.
-        let all_opening_sets: Vec<OpeningSet<C>> =
+        let all_opening_sets: Vec<OpeningSet<C::ScalarField>> =
             vec![o_local.clone(), o_right.clone(), o_below.clone()];
         let all_opened_values_sf: Vec<C::ScalarField> = all_opening_sets
             .iter()
@@ -463,7 +463,7 @@ impl<C: HaloCurve> Circuit<C> {
         old_proofs: &[OldProof<C>],
         pi_quotient_poly: &Polynomial<C::ScalarField>,
         zeta: C::ScalarField,
-    ) -> OpeningSet<C> {
+    ) -> OpeningSet<C::ScalarField> {
         let powers_of_zeta = powers(zeta, self.degree());
 
         OpeningSet {

src/plonk_proof.rs

@@ -30,11 +30,11 @@ pub struct Proof<C: HaloCurve> {
     pub c_pis_quotient: AffinePoint<C>,
 
     /// The opening of each polynomial at `zeta`.
-    pub o_local: OpeningSet<C>,
+    pub o_local: OpeningSet<C::ScalarField>,
     /// The opening of each polynomial at `g * zeta`.
-    pub o_right: OpeningSet<C>,
+    pub o_right: OpeningSet<C::ScalarField>,
     /// The opening of each polynomial at `g^65 * zeta`.
-    pub o_below: OpeningSet<C>,
+    pub o_below: OpeningSet<C::ScalarField>,
 
     /// L in the Halo reduction.
     pub halo_l: Vec<AffinePoint<C>>,
@@ -47,7 +47,7 @@ pub struct Proof<C: HaloCurve> {
 }
 
 impl<C: HaloCurve> Proof<C> {
-    pub fn all_opening_sets(&self) -> Vec<OpeningSet<C>> {
+    pub fn all_opening_sets(&self) -> Vec<OpeningSet<C::ScalarField>> {
         vec![
             self.o_local.clone(),
             self.o_right.clone(),
@@ -275,25 +275,29 @@ impl<C: HaloCurve, InnerC: HaloCurve<BaseField = C::ScalarField>> ProofTarget<C,
 
 /// The opening of each Plonk polynomial at a particular point.
 #[derive(Clone, Debug, Eq, PartialEq, Serialize, Deserialize)]
-pub struct OpeningSet<C: Curve> {
+// Since `Field` is already a subtrait of `Serialize` and `DeserializeOwned`, we don't need serde to
+// add its own bounds `where F: Serialize`. The redundant bounds would normally be harmless, but
+// they cause an error due to a compiler bug: https://github.com/rust-lang/rust/issues/41617
+#[serde(bound = "")]
+pub struct OpeningSet<F: Field> {
     /// The purported opening of each constant polynomial.
-    pub o_constants: Vec<C::ScalarField>,
+    pub o_constants: Vec<F>,
     /// The purported opening of each S_sigma polynomial in the context of Plonk's permutation argument.
-    pub o_plonk_sigmas: Vec<C::ScalarField>,
+    pub o_plonk_sigmas: Vec<F>,
     /// The purported opening of each wire polynomial.
-    pub o_wires: Vec<C::ScalarField>,
+    pub o_wires: Vec<F>,
     /// The purported opening of `Z`.
-    pub o_plonk_z: C::ScalarField,
+    pub o_plonk_z: F,
     /// The purported opening of `t`.
-    pub o_plonk_t: Vec<C::ScalarField>,
+    pub o_plonk_t: Vec<F>,
     /// The purported opening of some old proofs `halo_g` polynomials.
-    pub o_old_proofs: Vec<C::ScalarField>,
+    pub o_old_proofs: Vec<F>,
     /// The purported opening of the public input quotient polynomial.
-    pub o_pi_quotient: C::ScalarField,
+    pub o_pi_quotient: F,
 }
 
-impl<C: Curve> OpeningSet<C> {
-    pub fn to_vec(&self) -> Vec<C::ScalarField> {
+impl<F: Field> OpeningSet<F> {
+    pub fn to_vec(&self) -> Vec<F> {
         [
             self.o_constants.as_slice(),
             self.o_plonk_sigmas.as_slice(),
@@ -337,10 +341,10 @@ impl<C: Curve> OpeningSetTarget<C> {
         .concat()
     }
 
-    pub fn populate_witness<D: Curve>(
+    pub fn populate_witness<F: Field>(
         &self,
         witness: &mut PartialWitness<C::ScalarField>,
-        values: &OpeningSet<D>,
+        values: &OpeningSet<F>,
     ) -> Result<()> {
         // TODO: We temporarily assume that each opened value fits in both fields.
         witness.set_targets(

src/serialization.rs

@@ -73,8 +73,8 @@ impl<C: Curve> FromBytes for AffinePoint<C> {
 
 impl<C: Curve> Serialize for AffinePoint<C> {
     fn serialize<S>(&self, serializer: S) -> std::result::Result<S::Ok, S::Error>
-    where
-        S: Serializer,
+        where
+            S: Serializer,
     {
         let mut buf = vec![];
         self.write(&mut buf)
@@ -85,8 +85,8 @@ impl<C: Curve> Serialize for AffinePoint<C> {
 
 impl<'de, C: Curve> Deserialize<'de> for AffinePoint<C> {
     fn deserialize<D>(deserializer: D) -> std::result::Result<Self, D::Error>
-    where
-        D: Deserializer<'de>,
+        where
+            D: Deserializer<'de>,
     {
         struct AffinePointVisitor<C: Curve> {
             phantom: std::marker::PhantomData<C>,
@@ -169,8 +169,8 @@ mod test {
                 assert_eq!(x, y);
 
                 // Serde (de)serialization
-                let ser = bincode::serialize(&x)?;
-                let y = bincode::deserialize(&ser)?;
+                let ser = serde_cbor::to_vec(&x)?;
+                let y = serde_cbor::from_slice(&ser)?;
                 assert_eq!(x, y);
 
                 Ok(())
@@ -201,11 +201,11 @@ mod test {
                 assert_eq!(zero, q);
 
                 // Serde (de)serialization
-                let ser = bincode::serialize(&p)?;
-                let q = bincode::deserialize(&ser)?;
+                let ser = serde_cbor::to_vec(&p)?;
+                let q = serde_cbor::from_slice(&ser)?;
                 assert_eq!(p, q);
-                let ser = bincode::serialize(&zero)?;
-                let q = bincode::deserialize(&ser)?;
+                let ser = serde_cbor::to_vec(&zero)?;
+                let q = serde_cbor::from_slice(&ser)?;
                 assert_eq!(zero, q);
 
                 Ok(())
@@ -234,8 +234,7 @@ mod test {
     );
 
     // Generate a proof and verification key for the factorial circuit.
-    fn get_circuit_vk<C: HaloCurve, InnerC: HaloCurve<BaseField = C::ScalarField>>(
-    ) -> (Proof<C>, VerificationKey<C>) {
+    fn get_circuit_vk<C: HaloCurve, InnerC: HaloCurve<BaseField=C::ScalarField>>() -> (Proof<C>, VerificationKey<C>) {
         let mut builder = CircuitBuilder::<C>::new(128);
         let n = 10;
         let factorial_usize = (1..=n).product();
@@ -261,37 +260,52 @@ mod test {
         (proof, vk)
     }
 
-    #[test]
-    fn test_proof_vk_serialization_tweedledee() {
-        let (proof, vk) = get_circuit_vk::<Tweedledee, Tweedledum>();
-        let ser_proof = bincode::serialize(&proof).unwrap();
-        let ser_vk = bincode::serialize(&vk).unwrap();
-
-        let der_proof = bincode::deserialize(&ser_proof).unwrap();
-        let der_vk: VerificationKey<Tweedledee> = bincode::deserialize(&ser_vk).unwrap();
-
-        assert_eq!(proof, der_proof);
-        assert_eq!(vk.c_constants, der_vk.c_constants);
-        assert_eq!(vk.c_s_sigmas, der_vk.c_s_sigmas);
-        assert_eq!(vk.degree, der_vk.degree);
-        assert_eq!(vk.num_public_inputs, der_vk.num_public_inputs);
-        assert_eq!(vk.security_bits, der_vk.security_bits);
-    }
 
-    #[test]
-    fn test_proof_vk_serialization_tweedledum() {
-        let (proof, vk) = get_circuit_vk::<Tweedledum, Tweedledee>();
-        let ser_proof = bincode::serialize(&proof).unwrap();
-        let ser_vk = bincode::serialize(&vk).unwrap();
-
-        let der_proof = bincode::deserialize(&ser_proof).unwrap();
-        let der_vk: VerificationKey<Tweedledum> = bincode::deserialize(&ser_vk).unwrap();
-
-        assert_eq!(proof, der_proof);
-        assert_eq!(vk.c_constants, der_vk.c_constants);
-        assert_eq!(vk.c_s_sigmas, der_vk.c_s_sigmas);
-        assert_eq!(vk.degree, der_vk.degree);
-        assert_eq!(vk.num_public_inputs, der_vk.num_public_inputs);
-        assert_eq!(vk.security_bits, der_vk.security_bits);
+    macro_rules! test_proof_vk_serialization {
+        ($curve:ty, $inner_curve:ty, $test_name:ident) => {
+            #[test]
+            fn $test_name() -> Result<()> {
+                let (proof, vk) = get_circuit_vk::<$curve, $inner_curve>();
+                let ser_proof = serde_cbor::to_vec(&proof)?;
+                let ser_vk = serde_cbor::to_vec(&vk)?;
+                let vk_no_fft = VerificationKey {
+                    fft_precomputation: None,
+                    ..vk.clone()
+                };
+                let vk_no_msm = VerificationKey {
+                    pedersen_g_msm_precomputation: None,
+                    ..vk.clone()
+                };
+                let vk_none = VerificationKey {
+                    fft_precomputation: None,
+                    pedersen_g_msm_precomputation: None,
+                    ..vk.clone()
+                };
+                let ser_vk_no_fft = serde_cbor::to_vec(&vk_no_fft)?;
+                let ser_vk_no_msm = serde_cbor::to_vec(&vk_no_msm)?;
+                let ser_vk_none = serde_cbor::to_vec(&vk_none)?;
+                println!("Vk size: {} bytes", ser_vk.len());
+                println!("Vk size without fft precomputation: {} bytes", ser_vk_no_fft.len());
+                println!("Vk size without msm precomputation: {} bytes", ser_vk_no_msm.len());
+                println!("Vk size without any precomputation: {} bytes", ser_vk_none.len());
+
+                let der_proof = serde_cbor::from_slice(&ser_proof)?;
+                let der_vk: VerificationKey<$curve> = serde_cbor::from_slice(&ser_vk)?;
+                let der_vk_no_fft: VerificationKey<$curve> = serde_cbor::from_slice(&ser_vk_no_fft)?;
+                let der_vk_no_msm: VerificationKey<$curve> = serde_cbor::from_slice(&ser_vk_no_msm)?;
+                let der_vk_none: VerificationKey<$curve> = serde_cbor::from_slice(&ser_vk_none)?;
+
+                assert_eq!(proof, der_proof);
+                assert_eq!(vk, der_vk);
+                assert_eq!(vk_no_fft, der_vk_no_fft);
+                assert_eq!(vk_no_msm, der_vk_no_msm);
+                assert_eq!(vk_none, der_vk_none);
+
+                Ok(())
+            }
+        };
     }
+
+    test_proof_vk_serialization!(Tweedledee, Tweedledum, test_proof_vk_serialization_tweedledee);
+    test_proof_vk_serialization!(Tweedledum, Tweedledee, test_proof_vk_serialization_tweedledum);
 }

src/verifier.rs

@@ -12,16 +12,16 @@ use crate::{blake_hash_usize_to_curve, fft_precompute, msm_execute_parallel, msm
 
 pub const SECURITY_BITS: usize = 128;
 
-#[derive(Debug, Clone, Serialize, Deserialize)]
+#[derive(Debug, Clone, Serialize, Deserialize, Eq, PartialEq)]
 pub struct VerificationKey<C: HaloCurve> {
     pub c_constants: Vec<AffinePoint<C>>,
     pub c_s_sigmas: Vec<AffinePoint<C>>,
     pub degree: usize,
     pub num_public_inputs: usize,
     pub security_bits: usize,
-    #[serde(skip)]
+    #[serde(default, skip_serializing_if = "Option::is_none")]
     pub pedersen_g_msm_precomputation: Option<MsmPrecomputation<C>>,
-    #[serde(skip)]
+    #[serde(default, skip_serializing_if = "Option::is_none")]
     pub fft_precomputation: Option<FftPrecomputation<C::ScalarField>>,
 }
 
@@ -31,6 +31,19 @@ impl<C: HaloCurve> From<Circuit<C>> for VerificationKey<C> {
     }
 }
 
+impl<C: HaloCurve> VerificationKey<C> {
+    pub fn clear_msm_precomputation(&mut self) {
+        self.pedersen_g_msm_precomputation = None;
+    }
+    pub fn clear_fft_precomputation(&mut self) {
+        self.fft_precomputation = None;
+    }
+    pub fn clear_all(&mut self) {
+        self.clear_fft_precomputation();
+        self.clear_msm_precomputation();
+    }
+}
+
 /// Verifies a proof `proof` and some old proofs G points for a given verification key.
 /// If `verify_g` is `true`, the function completely verifies the proof, including the
 /// linear time check of the G point.