feat: add dory commitment scheme

[g1684774]

I have a rewrite from DualDory (go) and I'm currently porting it to jolt.

I'd like some help to understand:

• How should I populate the Transcript? Is it needed for Dory?
• How to deal with other types of MultilinearPolynomial;
• Does Dory support a better type of batching other than just looping over;
• Multiple operations might fail, how to handle them? Is it ok to panic?
  • Inverting a Scalar Zero
  • Getting the inner product of G1xG2
• Go implementation used Sha2 for digest, is it ok to use Sha3?
• How does the reduce part fits jolt?

I'm new to jolt and I don't understand if the API is already defined or it needs to change to fit Dory.

I'm also currently learning about ZK and Snarks cryptography, so please let me know if there's something wrong.

[moodlezoup]

Hi @g1684774 ! Thanks for taking this on! I haven't had a chance to thoroughly review your PR yet, but let me try to answer some of your questions first:

• How should I populate the Transcript? Is it needed for Dory?

Our Transcript struct should be used for the "reduce" steps in the Dory code. Both are used to implement the Fiat-Shamir transform –– we have some running "digest" or "state", and whenever the prover makes a commitment of some sort, the commitment has to be "absorbed" into the digest (aka appended to the transcript) by making (in broad strokes) the following update:
state := hash(state, commitment)

• How to deal with other types of MultilinearPolynomial;

See inline comment

• Does Dory support a better type of batching other than just looping over;

What you have is fine for now!

• Multiple operations might fail, how to handle them? Is it ok to panic?

Yes, panic is ok

• Go implementation used Sha2 for digest, is it ok to use Sha3?

See above answer about the Transcript; note that we have a KeccakTranscript struct that implements the Transcript trait

• How does the reduce part fits jolt?

See above answer about the Transcript

Btw, if you haven't already you might want to check out Section 15.4 of Justin's book, which covers Dory. There may be some discrepancies between the description there and the Go implementation, but it should provide some high-level context for why things work the way they do.

[moodlezoup]

These are multi-scalar multiplications (MSMs), which we have our own optimized implementation for: https://github.com/a16z/jolt/blob/main/jolt-core/src/msm/mod.rs#L176-L220

Note that it supports all types of MultilinearPolynomials

[g1684774]

Thanks for the response. I have a few more questions:

• Does that mean that the Go implementation already does the Fiat-Shamir transform by calling ro() whereas jolt wants to provide the points by calculating the points by itself sending digest produced by the transcript?

• And if the previous question is true, does it mean that I need to unwind the recursive part and let jolt call it for me? Will Jolt call it log(n) times before calling verify? Does jolt provide a state telling me if is step1 or step2?

• Something that I couldn't quite get it for Dory is about the Public Params. Are the Public Params actually a Vec?