test pass

Author: hero78119

ceno_zkvm/src/scheme/cpu/mod.rs

@@ -32,8 +32,11 @@ use multilinear_extensions::{
     virtual_poly::build_eq_x_r_vec,
     virtual_polys::VirtualPolynomialsBuilder,
 };
-use p3::field::FieldAlgebra;
-use rayon::iter::{IntoParallelIterator, IntoParallelRefIterator, ParallelIterator};
+use p3::field::{Field, FieldAlgebra};
+use rayon::iter::{
+    IndexedParallelIterator, IntoParallelIterator, IntoParallelRefIterator,
+    IntoParallelRefMutIterator, ParallelIterator,
+};
 use std::{collections::BTreeMap, sync::Arc};
 use sumcheck::{
     macros::{entered_span, exit_span},
@@ -80,16 +83,38 @@ impl CpuEccProver {
         let out_rt = transcript.sample_and_append_vec(b"ecc", n);
         let num_threads = optimal_sumcheck_threads(out_rt.len());
 
-        let alpha_pows =
-            transcript.sample_and_append_challenge_pows(SEPTIC_EXTENSION_DEGREE * 3, b"ecc_alpha");
+        // 2: expression got add and double
+        // 3: each contribute 3 zero constrains
+        let alpha_pows = transcript
+            .sample_and_append_challenge_pows(SEPTIC_EXTENSION_DEGREE * 3 * 2, b"ecc_alpha");
+        let mut alpha_pows_iter = alpha_pows.iter();
 
         let mut expr_builder = VirtualPolynomialsBuilder::new(num_threads, out_rt.len());
 
         let sel_add = SelectorType::QuarkBinaryTreeLessThan(0.into());
         let mut sel_add_mle: MultilinearExtension<'_, E> =
             sel_add.compute(&out_rt, num_instances).unwrap();
+        // we construct sel_double witness here
+        // verifier can derive it via `sel_double = 1 - sel_add - last_onehot`
+        let mut sel_double_mle: Vec<E> = build_eq_x_r_vec(&out_rt);
+        match sel_add_mle.evaluations() {
+            FieldType::Ext(sel_add_mle) => sel_add_mle
+                .par_iter()
+                .zip_eq(sel_double_mle.par_iter_mut())
+                .for_each(|(sel_add, sel_double)| {
+                    if *sel_add != E::ZERO {
+                        *sel_double = E::ZERO;
+                    }
+                }),
+            _ => unreachable!(),
+        }
+        *sel_double_mle.last_mut().unwrap() = E::ZERO;
+        let mut sel_double_mle = sel_double_mle.into_mle();
         let sel_add_expr = expr_builder.lift(sel_add_mle.to_either());
+        let sel_double_expr = expr_builder.lift(sel_double_mle.to_either());
+
         let mut exprs_add = vec![];
+        let mut exprs_double = vec![];
 
         let filter_bj = |v: &[MultilinearExtension<'_, E>], j: usize| {
             v.iter()
@@ -162,7 +187,7 @@ impl CpuEccProver {
             (s.clone() * (&x0 - &x1) - (&y0 - &y1))
                 .to_exprs()
                 .into_iter()
-                .zip(alpha_pows.iter().take(SEPTIC_EXTENSION_DEGREE))
+                .zip_eq(alpha_pows_iter.by_ref().take(SEPTIC_EXTENSION_DEGREE))
                 .map(|(e, alpha)| e * Expression::Constant(Either::Right(*alpha))),
         );
 
@@ -171,11 +196,7 @@ impl CpuEccProver {
             ((&s * &s) - &x0 - &x1 - &x3)
                 .to_exprs()
                 .into_iter()
-                .zip(
-                    alpha_pows[SEPTIC_EXTENSION_DEGREE..]
-                        .iter()
-                        .take(SEPTIC_EXTENSION_DEGREE),
-                )
+                .zip_eq(alpha_pows_iter.by_ref().take(SEPTIC_EXTENSION_DEGREE))
                 .map(|(e, alpha)| e * Expression::Constant(Either::Right(*alpha))),
         );
 
@@ -184,25 +205,56 @@ impl CpuEccProver {
             (s.clone() * (&x0 - &x3) - (&y0 + &y3))
                 .to_exprs()
                 .into_iter()
-                .zip(
-                    alpha_pows[SEPTIC_EXTENSION_DEGREE * 2..]
-                        .iter()
-                        .take(SEPTIC_EXTENSION_DEGREE),
-                )
+                .zip_eq(alpha_pows_iter.by_ref().take(SEPTIC_EXTENSION_DEGREE))
                 .map(|(e, alpha)| e * Expression::Constant(Either::Right(*alpha))),
         );
 
         let exprs_add = exprs_add.into_iter().sum::<Expression<E>>() * sel_add_expr;
 
-        let (zerocheck_proof, state) =
-            IOPProverState::prove(expr_builder.to_virtual_polys(&[exprs_add], &[]), transcript);
+        // deal with double
+        // 0 = s[0,b] * (2*y[b,0]) - (3*x[b,0]^2 + a)
+        exprs_double.extend(
+            (s.clone() * (&y0.mul_scalar(Either::Left(E::BaseField::TWO)))
+                - ((&x0 * &x0.mul_scalar(Either::Left(E::BaseField::from_canonical_u32(3))))
+                    .add_scalar(Either::Left(E::BaseField::TWO))))
+            .to_exprs()
+            .into_iter()
+            .zip_eq(alpha_pows_iter.by_ref().take(SEPTIC_EXTENSION_DEGREE))
+            .map(|(e, alpha)| e * Expression::Constant(Either::Right(*alpha))),
+        );
+
+        // 0 = s[0,b]^2 - 2*x[b,0] - x[1,b]
+        exprs_double.extend(
+            ((&s * &s) - (&x0.mul_scalar(Either::Left(E::BaseField::TWO))) - &x3)
+                .to_exprs()
+                .into_iter()
+                .zip_eq(alpha_pows_iter.by_ref().take(SEPTIC_EXTENSION_DEGREE))
+                .map(|(e, alpha)| e * Expression::Constant(Either::Right(*alpha))),
+        );
+
+        // 0 = s * (x[b,0] - x[1,b]) - (y[b,0] + y[1, b])
+        exprs_double.extend(
+            (s.clone() * (&x0 - &x3) - (&y0 + &y3))
+                .to_exprs()
+                .into_iter()
+                .zip_eq(alpha_pows_iter.by_ref().take(SEPTIC_EXTENSION_DEGREE))
+                .map(|(e, alpha)| e * Expression::Constant(Either::Right(*alpha))),
+        );
+        assert!(alpha_pows_iter.next().is_none());
+
+        let exprs_double = exprs_double.into_iter().sum::<Expression<E>>() * sel_double_expr;
+
+        let (zerocheck_proof, state) = IOPProverState::prove(
+            expr_builder.to_virtual_polys(&[exprs_add + exprs_double], &[]),
+            transcript,
+        );
 
         let rt = state.collect_raw_challenges();
         let evals = state.get_mle_flatten_final_evaluations();
 
         assert_eq!(zerocheck_proof.extract_sum(), E::ZERO);
         // 7 for x[rt,0], x[rt,1], y[rt,0], y[rt,1], x[1,rt], y[1,rt], s[0,rt]
-        assert_eq!(evals.len(), 1 + SEPTIC_EXTENSION_DEGREE * 7);
+        assert_eq!(evals.len(), 2 + SEPTIC_EXTENSION_DEGREE * 7);
 
         #[cfg(feature = "sanity-check")]
         {
@@ -1055,7 +1107,7 @@ mod tests {
     use std::iter::repeat;
 
     use ff_ext::BabyBearExt4;
-    use itertools::{Itertools, assert_equal};
+    use itertools::Itertools;
     use multilinear_extensions::{
         mle::{IntoMLE, MultilinearExtension},
         util::transpose,

ceno_zkvm/src/scheme/septic_curve.rs

@@ -594,6 +594,28 @@ impl<F: Field> MulAssign<Self> for SepticExtension<F> {
 #[derive(Clone, Debug)]
 pub struct SymbolicSepticExtension<E: ExtensionField>(pub Vec<Expression<E>>);
 
+impl<E: ExtensionField> SymbolicSepticExtension<E> {
+    pub fn mul_scalar(&self, scalar: Either<E::BaseField, E>) -> Self {
+        let res = self
+            .0
+            .iter()
+            .map(|a| a.clone() * Expression::Constant(scalar))
+            .collect();
+
+        SymbolicSepticExtension(res)
+    }
+
+    pub fn add_scalar(&self, scalar: Either<E::BaseField, E>) -> Self {
+        let res = self
+            .0
+            .iter()
+            .map(|a| a.clone() + Expression::Constant(scalar))
+            .collect();
+
+        SymbolicSepticExtension(res)
+    }
+}
+
 impl<E: ExtensionField> Add<Self> for &SymbolicSepticExtension<E> {
     type Output = SymbolicSepticExtension<E>;
 

ceno_zkvm/src/scheme/verifier.rs

@@ -5,7 +5,22 @@ use ff_ext::ExtensionField;
 #[cfg(debug_assertions)]
 use ff_ext::{Instrumented, PoseidonField};
 
-use gkr_iop::{gkr::GKRClaims, utils::eq_eval_less_or_equal_than};
+use crate::{
+    error::ZKVMError,
+    scheme::{
+        constants::{NUM_FANIN, NUM_FANIN_LOGUP, SEL_DEGREE, SEPTIC_EXTENSION_DEGREE},
+        septic_curve::SepticExtension,
+    },
+    structs::{
+        ComposedConstrainSystem, EccQuarkProof, PointAndEval, TowerProofs, VerifyingKey,
+        ZKVMVerifyingKey,
+    },
+    utils::{
+        eval_inner_repeated_incremental_vec, eval_outer_repeated_incremental_vec,
+        eval_stacked_constant_vec, eval_stacked_wellform_address_vec, eval_wellform_address_vec,
+    },
+};
+use gkr_iop::{gkr::GKRClaims, selector::SelectorType, utils::eq_eval_less_or_equal_than};
 use itertools::{Itertools, chain, interleave, izip};
 use mpcs::{Point, PolynomialCommitmentScheme};
 use multilinear_extensions::{
@@ -23,22 +38,6 @@ use sumcheck::{
 use transcript::{ForkableTranscript, Transcript};
 use witness::next_pow2_instance_padding;
 
-use crate::{
-    error::ZKVMError,
-    scheme::{
-        constants::{NUM_FANIN, NUM_FANIN_LOGUP, SEL_DEGREE, SEPTIC_EXTENSION_DEGREE},
-        septic_curve::SepticExtension,
-    },
-    structs::{
-        ComposedConstrainSystem, EccQuarkProof, PointAndEval, TowerProofs, VerifyingKey,
-        ZKVMVerifyingKey,
-    },
-    utils::{
-        eval_inner_repeated_incremental_vec, eval_outer_repeated_incremental_vec,
-        eval_stacked_constant_vec, eval_stacked_wellform_address_vec, eval_wellform_address_vec,
-    },
-};
-
 use super::{ZKVMChipProof, ZKVMProof};
 
 pub struct ZKVMVerifier<E: ExtensionField, PCS: PolynomialCommitmentScheme<E>> {
@@ -996,31 +995,31 @@ impl EccVerifier {
             transcript,
         );
 
-        let s0: SepticExtension<E> = proof.evals[1..][0..SEPTIC_EXTENSION_DEGREE]
+        let s0: SepticExtension<E> = proof.evals[2..][0..][..SEPTIC_EXTENSION_DEGREE]
             .try_into()
             .unwrap();
-        let x0: SepticExtension<E> = proof.evals[1..]
-            [SEPTIC_EXTENSION_DEGREE..2 * SEPTIC_EXTENSION_DEGREE]
+        let x0: SepticExtension<E> = proof.evals[2..][SEPTIC_EXTENSION_DEGREE..]
+            [..SEPTIC_EXTENSION_DEGREE]
             .try_into()
             .unwrap();
-        let y0: SepticExtension<E> = proof.evals[1..]
-            [2 * SEPTIC_EXTENSION_DEGREE..3 * SEPTIC_EXTENSION_DEGREE]
+        let y0: SepticExtension<E> = proof.evals[2..][2 * SEPTIC_EXTENSION_DEGREE..]
+            [..SEPTIC_EXTENSION_DEGREE]
             .try_into()
             .unwrap();
-        let x1: SepticExtension<E> = proof.evals[1..]
-            [3 * SEPTIC_EXTENSION_DEGREE..4 * SEPTIC_EXTENSION_DEGREE]
+        let x1: SepticExtension<E> = proof.evals[2..][3 * SEPTIC_EXTENSION_DEGREE..]
+            [..SEPTIC_EXTENSION_DEGREE]
             .try_into()
             .unwrap();
-        let y1: SepticExtension<E> = proof.evals[1..]
-            [4 * SEPTIC_EXTENSION_DEGREE..5 * SEPTIC_EXTENSION_DEGREE]
+        let y1: SepticExtension<E> = proof.evals[2..][4 * SEPTIC_EXTENSION_DEGREE..]
+            [..SEPTIC_EXTENSION_DEGREE]
             .try_into()
             .unwrap();
-        let x3: SepticExtension<E> = proof.evals[1..]
-            [5 * SEPTIC_EXTENSION_DEGREE..6 * SEPTIC_EXTENSION_DEGREE]
+        let x3: SepticExtension<E> = proof.evals[2..][5 * SEPTIC_EXTENSION_DEGREE..]
+            [..SEPTIC_EXTENSION_DEGREE]
             .try_into()
             .unwrap();
-        let y3: SepticExtension<E> = proof.evals[1..]
-            [6 * SEPTIC_EXTENSION_DEGREE..7 * SEPTIC_EXTENSION_DEGREE]
+        let y3: SepticExtension<E> = proof.evals[2..][6 * SEPTIC_EXTENSION_DEGREE..]
+            [..SEPTIC_EXTENSION_DEGREE]
             .try_into()
             .unwrap();
 
@@ -1054,6 +1053,7 @@ impl EccVerifier {
             .sum();
 
         let sel = eq_eval_less_or_equal_than(num_instances - 1, &out_rt, &rt);
+        // let SelectorType::QuarkBinaryTreeLessThan(1.into());
         // let sel = eq_quark_form(num_instances - 1, &out_rt, &rt);
         if sumcheck_claim.expected_evaluation != v * sel {
             return Err(ZKVMError::VerifyError(

gkr_iop/src/selector.rs

@@ -1,7 +1,7 @@
-use rayon::iter::{IndexedParallelIterator, IntoParallelIterator, IntoParallelRefIterator};
+use rayon::iter::IndexedParallelIterator;
 
 use ff_ext::ExtensionField;
-use itertools::{Itertools, assert_equal};
+use itertools::Itertools;
 use multilinear_extensions::{
     Expression,
     mle::{IntoMLE, MultilinearExtension, Point},