Histogram, MultihotCountVec: Move final reduction (*)

Simplify the `Histogram` and `MultihotCountVec` circuits by moving the
final reduction out of the circuit.

draft-irtf-cfrg-vdaf.md

@@ -4019,8 +4019,7 @@ def decode(
 The `Histogram` validity circuit checks for one-hotness in two steps, by
 checking that the encoded measurement consists of ones and zeros, and by
 checking that the sum of all elements in the encoded measurement is equal to
-one. All the individual checks are combined together in a random linear
-combination.
+one. The individual checks constitute the output of the circuit.
 
 As in the `SumVec` validity circuit ({{prio3sumvec}}), the first part of the
 validity circuit uses the `ParallelSum` gadget to perform range checks while
@@ -4069,9 +4068,7 @@ def eval(
     for b in meas:
         sum_check += b
 
-    out = joint_rand[-1] * range_check + \
-        joint_rand[-1] ** 2 * sum_check
-    return [out]
+    return [range_check, sum_check]
 ~~~
 
 Note that this circuit depends on the number of shares into which the
@@ -4083,8 +4080,8 @@ measurement is sharded. This is provided to the FLP by Prio3.
 | `GADGET_CALLS`    | `[(length + chunk_length - 1) // chunk_length]` |
 | `MEAS_LEN`        | `length`                                        |
 | `OUTPUT_LEN`      | `length`                                        |
-| `JOINT_RAND_LEN`  | `1 + GADGET_CALLS[0]`                           |
-| `EVAL_OUTPUT_LEN` | `1`                                             |
+| `JOINT_RAND_LEN`  | `GADGET_CALLS[0]`                               |
+| `EVAL_OUTPUT_LEN` | `2`                                             |
 | `Measurement`     | `int`                                           |
 | `AggResult`       | `list[int]`                                     |
 {: title="Parameters of validity circuit Histogram."}
@@ -4201,20 +4198,19 @@ def eval(
     weight_check = self.offset*shares_inv + weight - \
         weight_reported
 
-    out = joint_rand[-1] * range_check + \
-        joint_rand[-1] ** 2 * weight_check
-    return [out]
+    return [range_check, weight_check]
 ~~~
 
-| Parameter        | Value                                           |
-|:-----------------|:------------------------------------------------|
-| `GADGETS`        | `[ParallelSum(Mul(), chunk_length)]`            |
-| `GADGET_CALLS`   | `[(length + bits_for_weight + chunk_length - 1) // chunk_length]` |
-| `MEAS_LEN`       | `length + bits_for_weight`                      |
-| `OUTPUT_LEN`     | `length`                                        |
-| `JOINT_RAND_LEN` | `1 + GADGET_CALLS[0]`                           |
-| `Measurement`    | `list[int]`                                     |
-| `AggResult`      | `list[int]`                                     |
+| Parameter         | Value                                           |
+|:------------------|:------------------------------------------------|
+| `GADGETS`         | `[ParallelSum(Mul(), chunk_length)]`            |
+| `GADGET_CALLS`    | `[(length + bits_for_weight + chunk_length - 1) // chunk_length]` |
+| `MEAS_LEN`        | `length + bits_for_weight`                      |
+| `OUTPUT_LEN`      | `length`                                        |
+| `JOINT_RAND_LEN`  | `GADGET_CALLS[0]`                               |
+| `EVAL_OUTPUT_LEN` | `2`                                             |
+| `Measurement`     | `list[int]`                                     |
+| `AggResult`       | `list[int]`                                     |
 {: title="Parameters of validity circuit MultihotCountVec."}
 
 

poc/vdaf_poc/flp_bbcggi19.py

@@ -638,7 +638,7 @@ class Histogram(
     length: int
     chunk_length: int
 
-    EVAL_OUTPUT_LEN = 1
+    EVAL_OUTPUT_LEN = 2
 
     def __init__(self, field: type[F], length: int, chunk_length: int):
         """
@@ -660,7 +660,7 @@ def __init__(self, field: type[F], length: int, chunk_length: int):
         self.GADGET_CALLS = [(length + chunk_length - 1) // chunk_length]
         self.MEAS_LEN = self.length
         self.OUTPUT_LEN = self.length
-        self.JOINT_RAND_LEN = 1 + self.GADGET_CALLS[0]
+        self.JOINT_RAND_LEN = self.GADGET_CALLS[0]
 
     # NOTE: This method is excerpted in the document, de-indented. Its
     # width should be limited to 69 columns after de-indenting, or 73
@@ -703,9 +703,7 @@ def eval(
         for b in meas:
             sum_check += b
 
-        out = joint_rand[-1] * range_check + \
-            joint_rand[-1] ** 2 * sum_check
-        return [out]
+        return [range_check, sum_check]
 
     # NOTE: The encode(), truncate(), and decode() methods are excerpted
     # in the document, de-indented. Their width should be limited to 69
@@ -765,7 +763,7 @@ class MultihotCountVec(
     # Class object for the field.
     field: type[F]
 
-    EVAL_OUTPUT_LEN = 1
+    EVAL_OUTPUT_LEN = 2
 
     def __init__(self,
                  field: type[F],
@@ -813,7 +811,7 @@ def __init__(self,
         ]
         self.MEAS_LEN = self.length + self.bits_for_weight
         self.OUTPUT_LEN = self.length
-        self.JOINT_RAND_LEN = 1 + self.GADGET_CALLS[0]
+        self.JOINT_RAND_LEN = self.GADGET_CALLS[0]
 
     # NOTE: This method is excerpted in the document, de-indented. Its
     # width should be limited to 69 columns after de-indenting, or 73
@@ -860,9 +858,7 @@ def eval(
         weight_check = self.offset*shares_inv + weight - \
             weight_reported
 
-        out = joint_rand[-1] * range_check + \
-            joint_rand[-1] ** 2 * weight_check
-        return [out]
+        return [range_check, weight_check]
 
     # NOTE: The encode(), truncate(), and decode() methods are excerpted
     # in the document, de-indented. Their width should be limited to 69

test_vec/vdaf/Prio3Histogram_0.json

@@ -40,8 +40,8 @@
             ],
             "prep_shares": [
                 [
-                    "fe948d4cd76062bf22701bb43996a49cba61d1731de0e8308ff530bcdfe026ec8eea1655b3984d18f463017cf08b457350a16a88584ed7c28488e505cfcdb4d88cdf89ee9ba292d685123b3aaceeb6f9b7e327bc346ea7cf4b08607817838bc6064ddc2301a2ff2176338dd52a09fdadd442cddcbe5d10dafe0d92551d81eac7",
-                    "036b72b3289f9d40c18fe44bc6695b63afc34d8cb6e960d8b976cb0765e57775c4f1afc98e06f8da4623d5c35be0f223ae763022e162c7e3bfbc78bff4a928c33110eee2776703e3ae98d85bb97a6366c4b297f11de9f137b3448ccb5e3c9188c27dda399f3c8341c7476370573e51b6ebe601061807bb886fc55c2161ce436e"
+                    "d94d1f36d8d2f9867208928069335f0957497c6df0fe6568d4304b27f51456acf8093e765dfe404541c27935c03bf8677569234022700212e1112ad5b4a474126b01b5b1be78d897a9e616bcb21c5644fad4b87f09bc65f0c46ec41e29b19ffd064ddc2301a2ff2176338dd52a09fdadd442cddcbe5d10dafe0d92551d81eac7",
+                    "28b2e0c9272d067971f76d7f96cca0f6bef7d43878716b3fcee1d230515956acdd7ced66a61a897483b4b233e4fe32b48babf43d070fc14b1c7fc4e1a386fd223f58eec1544973c9f39e871c48543e979da23642e48ae655de8c7e6b008ab43bc27dda399f3c8341c7476370573e51b6ebe601061807bb886fc55c2161ce436e"
                 ]
             ],
             "public_share": "064ddc2301a2ff2176338dd52a09fdadd442cddcbe5d10dafe0d92551d81eac7c27dda399f3c8341c7476370573e51b6ebe601061807bb886fc55c2161ce436e",

test_vec/vdaf/Prio3Histogram_1.json

@@ -76,9 +76,9 @@
             ],
             "prep_shares": [
                 [
-                    "54c772db149e08bf8f37653ac9ce2d30169d05142fc8a851d1544196fedad6ce8198e704f75ba96676c13e934c8746b94468872d7f74f22a439558ac6b063dc87b8fbe64d3a62639873674bf0a4218de8b92f481022a2ec78b76fa53f2e2f9f423e2aa64f2e271ebb1ef64eea728cb764ef56111139b6b57b6062b056dc35bed65b3e30205531b610d546de28a6b7c7cc058087324206afad931cea724e2285c",
-                    "b4517efa1067670f78b521be727df88530ae81f2b870c00f22f3ee5bb93ede5a3431985cb562b9d20a4295522a352a75c6c287ce6cdfa2efefafb2c6112c18015401c6b870addc1c3f510e7ad00f47224c580be23a06d339489c891e7f32e307d096c94ec36ae3d772aaba20f671ab13f9c9520e7327eb51b157b1f85998871782c591e1ce996072e1f096b5991133f1d6ab883b98ec6a028b1de85eefed6989",
-                    "f9e60e2adafa8f31dc127907c4b3d9492a798c0af50bdf183d345a03c1f5934fe6b477e489edc6f4e4089fbefdd015a70bafe2492d02e41059a5be6e63a2faf94e85bc69d1b7f52fa709f8fa8eb4104820d840f7563e8b4a07b396ae5cbd12f8e0ede9e87d84ffacb9aefa677afca9e41e392104f4d325733744731b47055cdfed585479d34bf381eb8c5a1655338d24d04951ef27510d46ac2d45d22b5fc6c2"
+                    "9c992f824ce7e69496d40dfa1da358109a3472a03ed58dc33d5426b0115bc7834b72373b9e78170ed075be80bd7842796b25594ce5825c4166bffa9165a98e40a56d6d17e0ca74af36cb5dbdb3a2f3c7d246b8f5bd78acc9f6c26ffde64d4817cdd9b28b742924c79516ca016098492df7580a49dd091f4f6e81fcf9d9fc148365b3e30205531b610d546de28a6b7c7cc058087324206afad931cea724e2285c",
+                    "5db683a2145d865bdcf7b710ffb7e5ebb0bd9384c53299aae2cfe91888654d713fb6f1f7c85c5cfeaad11f1231a6ad8af800be32effc0abc03e33cd8160323e080e98fdc84db0024002bf3aec21c8a9ba3d69a20bbf18d9ff7234d6b03e993f5ef0c2dad87518e4f16634da8f1d947a518540775525c97a3d8d4323fa0f488b782c591e1ce996072e1f096b5991133f1d6ab883b98ec6a028b1de85eefed6989",
+                    "08b04cdb9ebb920f71333af5e2a4c1037e6f5e776923d04de57b5c3ae70c15ad22f5380db9898c43134eb63198f64d67b47df6087bf19d0f85c2f729bb3235bc92bf9dc3a0f5ded0191ae397b5a2553a7ce4a518a7928893a51dc7dbfbdcb3b0d59aaa9ee4849b9d94faab5b691dc86fca19867ae82f97927ff5eece600cd002ed585479d34bf381eb8c5a1655338d24d04951ef27510d46ac2d45d22b5fc6c2"
                 ]
             ],
             "public_share": "65b3e30205531b610d546de28a6b7c7cc058087324206afad931cea724e2285c82c591e1ce996072e1f096b5991133f1d6ab883b98ec6a028b1de85eefed6989ed585479d34bf381eb8c5a1655338d24d04951ef27510d46ac2d45d22b5fc6c2",

test_vec/vdaf/Prio3MultihotCountVec_0.json

@@ -46,8 +46,8 @@
             ],
             "prep_shares": [
                 [
-                    "8863bd7450266fb467f769f2a71299b25fd53feb40543a0535a6fd249bf328ce02fd704ab2110f43db49149006bbdaa86845781af4ee4cd4721684b8b388a08b5750d8f4d5253d179868e3c2a919f186474a786e5fe64faeda411aa0143980c6f626f32389f3abd8f1007f22683246938f85d46fdcf067e79c9b6b088a0c70ba",
-                    "799c428bafd9904b7c08960d58ed664d25a41f1c1169561d342e081a6064739ea65c8d883597126ed7fd9cfb0a6125e2be414c8b3e13fe8594f9601eaf92710a53b4981c55755bcb6c5cefa3a916372b85c0804a37fa78c9abc3082b5bdda6255728b4e324470bb29993bf18e20714421c8e06f4c0622e3641eb50f24fed1117"
+                    "0c82e0cc5f690b9caafa428dd6d85ec0cb91386cb2e980e5475e84dc83a874724d0ec28fc8583fcd3d2049ed82fe4cb49b774302bf9e3f22840fdcae9eda08edf34af1e39cf607549e72d9603c9064bd1ce6bcc5c3cff0cd2404afaa25d39fbef626f32389f3abd8f1007f22683246938f85d46fdcf067e79c9b6b088a0c70ba",
+                    "f57d1f33a096f4633905bd722927a13f27c3d26278454e1a5238c31d07b79cfb65698f64c871fc3ae4f3ec5c948d0436d2d857e9751199e9364d6f9097174bf6f551d066f30ae33ed61f9b4bed3609d6fd20479675bf4583e46fa4df4e93182f5728b4e324470bb29993bf18e20714421c8e06f4c0622e3641eb50f24fed1117"
                 ]
             ],
             "public_share": "f626f32389f3abd8f1007f22683246938f85d46fdcf067e79c9b6b088a0c70ba5728b4e324470bb29993bf18e20714421c8e06f4c0622e3641eb50f24fed1117",