New Transcript API (and modified commitment scheme)

[ebfull]

Closes #66.

The goal of this PR is to solve multiple problems:

1. Currently, we have various Proof objects scattered around the codebase for each of the different subprotocols. Some of these proof objects contain vectors of (vectors of) curve points and scalars. This complicates serialization/deserialization of proofs because the lengths of these vectors depend on the configuration of the circuit. We don't want to encode the lengths of vectors inside of proofs because we'll know them at runtime and they do not change. We should instead treat proof objects as opaque byte streams into the verifier.
2. It's easy to accidentally put stuff in a Proof object that isn't also placed in the transcript.
3. In Multi-proof prover #67 we need to be able to create multiple PLONK proofs at the same time and they will share many different substructures when they're for the same circuit.
4. (Bonus) Now verification also accounts for the cost of deserialization, which isn't negligible due to point compression.

The idea is to refactor the transcript module to provide two separate concepts: a TranscriptWrite trait that represents something we can write to (at proving time) and a TranscriptRead trait that represents something we can read from (at verifying time). Crucially, implementations of these traits are responsible for simultaneously writing to some std::io::Write buffer at the same time that they hash things into the transcript, and similarly for TranscriptRead/std::io::Read.

We can then remove all of the Proof-like structures from the codebase.

In addition, we perform a few refactorings of the PLONK implementation to reflect the fact that the verifier needs to temporarily store values in the proof and cannot simply access a Proof object anymore. This makes the verifier look a lot more like the prover, which does the same thing for other reasons.

In order to make this easier I had to also change the commitment scheme to more closely match the one from the accumulation scheme paper. That involved three changes:

1. We subtract [v] G_0 from the commitment P that we're opening at x; the argument from then forward becomes "does the polynomial committed at P have a root at x" which will be efficient inside of recursive circuits because it's just a fixed-based scalar multiplication, versus the variable base P' = P + [v] U thing that we do in the Halo paper.
2. The prover supplies a commitment R to a random polynomial that also has a root at x. The verifier samples random iota and computes P' = P - [v] G_0 + [iota] R and the inner product argument is run on P'. This makes it so that we don't need to do a Schnorr proof at the end because P' is uniformly distributed in the space of polynomials with a root at x.
3. We don't sample U for checking the values; we use a fixed U and compute a challenge z to compute U' = [z] U and use U' for that purpose. It was never really necessary for U to be sampled from the group, which I didn't realize at the time.

[ebfull]

Highly recommend reviewing with whitespace changes hidden.

[codecov-io]

Codecov Report

Merging #111 (cc6b0bb) into main (fb37172) will increase coverage by 1.02%.
The diff coverage is 97.18%.

@@            Coverage Diff             @@
##             main     #111      +/-   ##
==========================================
+ Coverage   83.44%   84.46%   +1.02%     
==========================================
  Files          34       36       +2     
  Lines        3738     3862     +124     
==========================================
+ Hits         3119     3262     +143     
+ Misses        619      600      -19     

Impacted Files	Coverage Δ
benches/plonk.rs	0.00% <ø> (ø)
src/arithmetic/fields.rs	47.05% <ø> (-25.41%)	⬇️
src/pasta/curves.rs	74.92% <ø> (+3.76%)	⬆️
src/pasta/fields/fp.rs	84.70% <ø> (-0.14%)	⬇️
src/pasta/fields/fq.rs	81.34% <ø> (-0.17%)	⬇️
src/plonk/lookup.rs	85.71% <ø> (ø)
src/plonk/permutation.rs	100.00% <ø> (ø)
src/poly/multiopen.rs	97.94% <ø> (ø)
src/poly/commitment.rs	88.96% <89.55%> (+1.57%)	⬆️
src/poly/commitment/msm.rs	94.02% <93.75%> (-2.05%)	⬇️
... and 26 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update fb37172...cc6b0bb. Read the comment docs.

[str4d]

It would be great for this PR to also add a design page (probably book/src/design/implementation.md) describing why we do this / why proofs are read and written via the transcript 😁

[daira]

utACK. I have not checked the protocol changes.

[daira]

What's the ... here?

[ebfull]

It's the left hand side of the equality, msm - [v] G_0 + random_poly_commitment * iota + \sum(L_i * u_i^2) + \sum(R_i * u_i^-2).

[daira]

I don't understand how this is a substitution into the previous line.

[ebfull]

The prover will not be giving us G but rather G + H (the blinding factor is 1), so we have to subtract H from what they give us. We do this because auxillary commitments always have a blinding factor of 1 in the PLONK API, ensuring that under no circumstance will points at infinity emerge inside of a recursive circuit.

[str4d]

I reviewed everything except the first commit from #113.

[str4d]

Not sure I like this being a property of the curve implementation, but it will do for now. We will likely need to refactor this later.

[str4d]

These definitely will need changing to be more descriptive as to their purpose 🙂

[daira]

This will change again when we switch to simplified SWU for hash-to-curve.