Merge pull request #402 from a16z/violet/trascript

Adds an onchain compatible transcript and removes Merlin

jolt-core/Cargo.toml

@@ -29,7 +29,6 @@ ark-serialize = { version = "0.4.2", default-features = false, features = [
 ark-std = { version = "0.4.0" }
 binius-field = { git = "https://gitlab.com/UlvetannaOSS/binius", package = "binius_field"}
 clap = { version = "4.3.10", features = ["derive"] }
-digest = "0.8.1"
 enum_dispatch = "0.3.12"
 fixedbitset = "0.5.0"
 itertools = "0.10.0"
@@ -45,7 +44,7 @@ rand_core = { version = "0.6.4", default-features = false }
 rayon = { version = "^1.8.0", optional = true }
 rgb = "0.8.37"
 serde = { version = "1.0.*", default-features = false }
-sha3 = "0.8.2"
+sha3 = "0.10.8"
 smallvec = "1.13.1"
 strum = "0.25.0"
 strum_macros = "0.25.2"

jolt-core/src/jolt/vm/bytecode.rs

@@ -350,15 +350,14 @@ pub struct BytecodeCommitment<C: CommitmentScheme> {
 }
 
 impl<C: CommitmentScheme> AppendToTranscript for BytecodeCommitment<C> {
-    fn append_to_transcript(&self, label: &'static [u8], transcript: &mut ProofTranscript) {
-        transcript.append_protocol_name(label);
+    fn append_to_transcript(&self, transcript: &mut ProofTranscript) {
+        transcript.append_protocol_name(b"Bytecode Commitments");
 
         for commitment in &self.trace_commitments {
-            commitment.append_to_transcript(b"trace", transcript);
+            commitment.append_to_transcript(transcript);
         }
 
-        self.t_final_commitment
-            .append_to_transcript(b"final", transcript);
+        self.t_final_commitment.append_to_transcript(transcript);
     }
 }
 

jolt-core/src/jolt/vm/instruction_lookups.rs

@@ -79,15 +79,15 @@ pub struct InstructionCommitment<C: CommitmentScheme> {
 }
 
 impl<C: CommitmentScheme> AppendToTranscript for InstructionCommitment<C> {
-    fn append_to_transcript(&self, label: &'static [u8], transcript: &mut ProofTranscript) {
-        transcript.append_message(label, b"InstructionCommitment_begin");
+    fn append_to_transcript(&self, transcript: &mut ProofTranscript) {
+        transcript.append_message(b"InstructionCommitment_begin");
         for commitment in &self.trace_commitment {
-            commitment.append_to_transcript(b"trace_commitment", transcript);
+            commitment.append_to_transcript(transcript);
         }
         for commitment in &self.final_commitment {
-            commitment.append_to_transcript(b"final_commitment", transcript);
+            commitment.append_to_transcript(transcript);
         }
-        transcript.append_message(label, b"InstructionCommitment_end");
+        transcript.append_message(b"InstructionCommitment_end");
     }
 }
 
@@ -617,7 +617,7 @@ where
     }
 
     fn protocol_name() -> &'static [u8] {
-        b"Instruction lookups memory checking"
+        b"Instruction lookups check"
     }
 }
 
@@ -817,7 +817,7 @@ where
         transcript.append_protocol_name(Self::protocol_name());
 
         let trace_length = polynomials.dim[0].len();
-        let r_eq = transcript.challenge_vector(b"Jolt instruction lookups", trace_length.log_2());
+        let r_eq = transcript.challenge_vector(trace_length.log_2());
 
         let eq_evals: Vec<F> = EqPolynomial::evals(&r_eq);
         let mut eq_poly = DensePolynomial::new(eq_evals);
@@ -876,10 +876,7 @@ where
     ) -> Result<(), ProofVerifyError> {
         transcript.append_protocol_name(Self::protocol_name());
 
-        let r_eq = transcript.challenge_vector(
-            b"Jolt instruction lookups",
-            proof.primary_sumcheck.num_rounds,
-        );
+        let r_eq = transcript.challenge_vector(proof.primary_sumcheck.num_rounds);
 
         // TODO: compartmentalize all primary sumcheck logic
         let (claim_last, r_primary_sumcheck) = proof.primary_sumcheck.sumcheck_proof.verify(
@@ -1264,9 +1261,9 @@ where
         round_uni_poly: UniPoly<F>,
         transcript: &mut ProofTranscript,
     ) -> F {
-        round_uni_poly.append_to_transcript(b"poly", transcript);
+        round_uni_poly.append_to_transcript(transcript);
 
-        transcript.challenge_scalar::<F>(b"challenge_nextround")
+        transcript.challenge_scalar::<F>()
     }
 
     /// Combines the subtable values given by `vals` and the flag values given by `flags`.

jolt-core/src/jolt/vm/mod.rs

@@ -125,17 +125,11 @@ pub struct JoltCommitments<PCS: CommitmentScheme> {
 
 impl<PCS: CommitmentScheme> JoltCommitments<PCS> {
     fn append_to_transcript(&self, transcript: &mut ProofTranscript) {
-        self.bytecode.append_to_transcript(b"bytecode", transcript);
-        self.read_write_memory
-            .append_to_transcript(b"read_write_memory", transcript);
-        self.timestamp_range_check
-            .append_to_transcript(b"timestamp_range_check", transcript);
-        self.instruction_lookups
-            .append_to_transcript(b"instruction_lookups", transcript);
-        self.r1cs
-            .as_ref()
-            .unwrap()
-            .append_to_transcript(b"r1cs", transcript);
+        self.bytecode.append_to_transcript(transcript);
+        self.read_write_memory.append_to_transcript(transcript);
+        self.timestamp_range_check.append_to_transcript(transcript);
+        self.instruction_lookups.append_to_transcript(transcript);
+        self.r1cs.as_ref().unwrap().append_to_transcript(transcript);
     }
 }
 
@@ -375,7 +369,7 @@ pub trait Jolt<F: JoltField, PCS: CommitmentScheme<Field = F>, const C: usize, c
             padded_trace_length,
         );
 
-        transcript.append_scalar(b"spartan key", &spartan_key.vk_digest);
+        transcript.append_scalar(&spartan_key.vk_digest);
 
         jolt_commitments.r1cs = Some(r1cs_commitments);
         jolt_commitments.append_to_transcript(&mut transcript);
@@ -439,7 +433,7 @@ pub trait Jolt<F: JoltField, PCS: CommitmentScheme<Field = F>, const C: usize, c
         Self::fiat_shamir_preamble(&mut transcript, &proof.program_io, proof.trace_length);
 
         // append the digest of vk (which includes R1CS matrices) and the RelaxedR1CSInstance to the transcript
-        transcript.append_scalar(b"spartan key", &proof.r1cs.key.vk_digest);
+        transcript.append_scalar(&proof.r1cs.key.vk_digest);
 
         commitments.append_to_transcript(&mut transcript);
 
@@ -688,16 +682,16 @@ pub trait Jolt<F: JoltField, PCS: CommitmentScheme<Field = F>, const C: usize, c
         program_io: &JoltDevice,
         trace_length: usize,
     ) {
-        transcript.append_u64(b"Unpadded trace length", trace_length as u64);
-        transcript.append_u64(b"C", C as u64);
-        transcript.append_u64(b"M", M as u64);
-        transcript.append_u64(b"# instructions", Self::InstructionSet::COUNT as u64);
-        transcript.append_u64(b"# subtables", Self::Subtables::COUNT as u64);
-        transcript.append_u64(b"Max input size", program_io.memory_layout.max_input_size);
-        transcript.append_u64(b"Max output size", program_io.memory_layout.max_output_size);
-        transcript.append_bytes(b"Program inputs", &program_io.inputs);
-        transcript.append_bytes(b"Program outputs", &program_io.outputs);
-        transcript.append_u64(b"Program panic", program_io.panic as u64);
+        transcript.append_u64(trace_length as u64);
+        transcript.append_u64(C as u64);
+        transcript.append_u64(M as u64);
+        transcript.append_u64(Self::InstructionSet::COUNT as u64);
+        transcript.append_u64(Self::Subtables::COUNT as u64);
+        transcript.append_u64(program_io.memory_layout.max_input_size);
+        transcript.append_u64(program_io.memory_layout.max_output_size);
+        transcript.append_bytes(&program_io.inputs);
+        transcript.append_bytes(&program_io.outputs);
+        transcript.append_u64(program_io.panic as u64);
     }
 }
 

jolt-core/src/jolt/vm/read_write_memory.rs

@@ -964,16 +964,14 @@ pub struct MemoryCommitment<C: CommitmentScheme> {
 }
 
 impl<C: CommitmentScheme> AppendToTranscript for MemoryCommitment<C> {
-    fn append_to_transcript(&self, label: &'static [u8], transcript: &mut ProofTranscript) {
-        transcript.append_message(label, b"MemoryCommitment_begin");
+    fn append_to_transcript(&self, transcript: &mut ProofTranscript) {
+        transcript.append_message(b"MemoryCommitment_begin");
         for commitment in &self.trace_commitments {
-            commitment.append_to_transcript(b"trace_commit", transcript);
+            commitment.append_to_transcript(transcript);
         }
-        self.v_final_commitment
-            .append_to_transcript(b"v_final_commit", transcript);
-        self.t_final_commitment
-            .append_to_transcript(b"t_final_commit", transcript);
-        transcript.append_message(label, b"MemoryCommitment_end");
+        self.v_final_commitment.append_to_transcript(transcript);
+        self.t_final_commitment.append_to_transcript(transcript);
+        transcript.append_message(b"MemoryCommitment_end");
     }
 }
 
@@ -1510,7 +1508,7 @@ where
         transcript: &mut ProofTranscript,
     ) -> Self {
         let num_rounds = polynomials.memory_size.log_2();
-        let r_eq = transcript.challenge_vector(b"output_sumcheck", num_rounds);
+        let r_eq = transcript.challenge_vector(num_rounds);
         let eq: DensePolynomial<F> = DensePolynomial::new(EqPolynomial::evals(&r_eq));
 
         let io_witness_range: Vec<_> = (0..polynomials.memory_size as u64)
@@ -1588,7 +1586,7 @@ where
         commitment: &MemoryCommitment<C>,
         transcript: &mut ProofTranscript,
     ) -> Result<(), ProofVerifyError> {
-        let r_eq = transcript.challenge_vector(b"output_sumcheck", proof.num_rounds);
+        let r_eq = transcript.challenge_vector(proof.num_rounds);
 
         let (sumcheck_claim, r_sumcheck) =
             proof

jolt-core/src/jolt/vm/timestamp_range_check.rs

@@ -172,12 +172,12 @@ pub struct RangeCheckCommitment<C: CommitmentScheme> {
 }
 
 impl<C: CommitmentScheme> AppendToTranscript for RangeCheckCommitment<C> {
-    fn append_to_transcript(&self, label: &'static [u8], transcript: &mut ProofTranscript) {
-        transcript.append_message(label, b"RangeCheckCommitment_begin");
+    fn append_to_transcript(&self, transcript: &mut ProofTranscript) {
+        transcript.append_message(b"RangeCheckCommitment_begin");
         for commitment in &self.commitments {
-            commitment.append_to_transcript(b"range", transcript);
+            commitment.append_to_transcript(transcript);
         }
-        transcript.append_message(label, b"RangeCheckCommitment_end");
+        transcript.append_message(b"RangeCheckCommitment_end");
     }
 }
 
@@ -453,7 +453,7 @@ where
     }
 
     fn protocol_name() -> &'static [u8] {
-        b"Timestamp validity proof memory checking"
+        b"Timestamp Validity Proof"
     }
 }
 
@@ -680,8 +680,8 @@ where
         setup: &C::Setup,
     ) -> (BatchedGrandProductProof<C>, MultisetHashes<F>, Vec<F>) {
         // Fiat-Shamir randomness for multiset hashes
-        let gamma: F = transcript.challenge_scalar(b"Memory checking gamma");
-        let tau: F = transcript.challenge_scalar(b"Memory checking tau");
+        let gamma: F = transcript.challenge_scalar();
+        let tau: F = transcript.challenge_scalar();
 
         transcript.append_protocol_name(Self::protocol_name());
 
@@ -719,8 +719,8 @@ where
         transcript: &mut ProofTranscript,
     ) -> Result<(), ProofVerifyError> {
         // Fiat-Shamir randomness for multiset hashes
-        let gamma: F = transcript.challenge_scalar(b"Memory checking gamma");
-        let tau: F = transcript.challenge_scalar(b"Memory checking tau");
+        let gamma: F = transcript.challenge_scalar();
+        let tau: F = transcript.challenge_scalar();
 
         transcript.append_protocol_name(Self::protocol_name());
 
@@ -831,6 +831,6 @@ where
     }
 
     fn protocol_name() -> &'static [u8] {
-        b"Timestamp validity proof memory checking"
+        b"Timestamp Validity Proof"
     }
 }

jolt-core/src/lasso/memory_checking.rs

@@ -35,10 +35,10 @@ pub struct MultisetHashes<F: JoltField> {
 
 impl<F: JoltField> MultisetHashes<F> {
     pub fn append_to_transcript(&self, transcript: &mut ProofTranscript) {
-        transcript.append_scalars(b"Read multiset hashes", &self.read_hashes);
-        transcript.append_scalars(b"Write multiset hashes", &self.write_hashes);
-        transcript.append_scalars(b"Init multiset hashes", &self.init_hashes);
-        transcript.append_scalars(b"Final multiset hashes", &self.final_hashes);
+        transcript.append_scalars(&self.read_hashes);
+        transcript.append_scalars(&self.write_hashes);
+        transcript.append_scalars(&self.init_hashes);
+        transcript.append_scalars(&self.final_hashes);
     }
 }
 
@@ -160,8 +160,8 @@ where
         Vec<F>,
     ) {
         // Fiat-Shamir randomness for multiset hashes
-        let gamma: F = transcript.challenge_scalar(b"Memory checking gamma");
-        let tau: F = transcript.challenge_scalar(b"Memory checking tau");
+        let gamma: F = transcript.challenge_scalar();
+        let tau: F = transcript.challenge_scalar();
 
         transcript.append_protocol_name(Self::protocol_name());
 
@@ -333,8 +333,8 @@ where
         transcript: &mut ProofTranscript,
     ) -> Result<(), ProofVerifyError> {
         // Fiat-Shamir randomness for multiset hashes
-        let gamma: F = transcript.challenge_scalar(b"Memory checking gamma");
-        let tau: F = transcript.challenge_scalar(b"Memory checking tau");
+        let gamma: F = transcript.challenge_scalar();
+        let tau: F = transcript.challenge_scalar();
 
         transcript.append_protocol_name(Self::protocol_name());
 

jolt-core/src/lasso/surge.rs

@@ -383,7 +383,7 @@ where
     }
 
     fn protocol_name() -> &'static [u8] {
-        b"Surge memory checking"
+        b"SurgeMemCheck"
     }
 }
 
@@ -579,11 +579,11 @@ where
         // TODO(sragss): Commit some of this stuff to transcript?
 
         // Primary sumcheck
-        let r_primary_sumcheck = transcript.challenge_vector(b"primary_sumcheck", num_rounds);
+        let r_primary_sumcheck = transcript.challenge_vector(num_rounds);
         let eq: DensePolynomial<F> = DensePolynomial::new(EqPolynomial::evals(&r_primary_sumcheck));
         let sumcheck_claim: F = Self::compute_primary_sumcheck_claim(&polynomials, &eq);
 
-        transcript.append_scalar(b"sumcheck_claim", &sumcheck_claim);
+        transcript.append_scalar(&sumcheck_claim);
         let mut combined_sumcheck_polys = polynomials.E_polys.clone();
         combined_sumcheck_polys.push(eq);
 
@@ -638,13 +638,9 @@ where
         transcript.append_protocol_name(Self::protocol_name());
         let instruction = Instruction::default();
 
-        let r_primary_sumcheck =
-            transcript.challenge_vector(b"primary_sumcheck", proof.primary_sumcheck.num_rounds);
+        let r_primary_sumcheck = transcript.challenge_vector(proof.primary_sumcheck.num_rounds);
 
-        transcript.append_scalar(
-            b"sumcheck_claim",
-            &proof.primary_sumcheck.claimed_evaluation,
-        );
+        transcript.append_scalar(&proof.primary_sumcheck.claimed_evaluation);
         let primary_sumcheck_poly_degree = instruction.g_poly_degree(C) + 1;
         let (claim_last, r_z) = proof.primary_sumcheck.sumcheck_proof.verify(
             proof.primary_sumcheck.claimed_evaluation,

jolt-core/src/poly/commitment/binius.rs

@@ -15,7 +15,7 @@ pub struct Binius128Scheme {}
 pub struct BiniusCommitment {}
 
 impl AppendToTranscript for BiniusCommitment {
-    fn append_to_transcript(&self, _label: &[u8], _transcript: &mut ProofTranscript) {
+    fn append_to_transcript(&self, _transcript: &mut ProofTranscript) {
         todo!()
     }
 }