Fix sample field element for default transcript. (#976)

* add new trait

* impl default transcript for montgomery backend

* fix plonk

* refactor

* add babybear test

* add tests

* fmt

* add trait to sumcheck prover

* rm Vec

* rm serde-binary

* impl HasDefaultTranscript for u64prmeField

* fmt

* Update math/src/field/traits.rs

Co-authored-by: Cyprien de Saint Guilhem <[email protected]>

* Update math/src/field/fields/u64_prime_field.rs

Co-authored-by: Cyprien de Saint Guilhem <[email protected]>

* change seed for rng

* fix clippy

* fix clippy

* change rand version

* redo rand version

* fix range in u64

* fix target wasm32

* change dependencies rand no std

---------

Co-authored-by: Cyprien de Saint Guilhem <[email protected]>
Co-authored-by: diegokingston <[email protected]>
Co-authored-by: Nicole <[email protected]>

Author: 4 people

crypto/Cargo.toml

@@ -17,6 +17,9 @@ serde = { version = "1.0", default-features = false, features = [
     "alloc",
 ], optional = true }
 rayon = { version = "1.8.0", optional = true }
+rand = { version = "0.8.5", default-features = false }
+rand_chacha = { version = "0.3.1", default-features = false }
+
 [dev-dependencies]
 criterion = "0.4"
 iai-callgrind.workspace = true

crypto/src/fiat_shamir/default_transcript.rs

@@ -1,19 +1,20 @@
 use super::is_transcript::IsTranscript;
 use core::marker::PhantomData;
 use lambdaworks_math::{
-    field::{element::FieldElement, traits::IsField},
+    field::{element::FieldElement, traits::HasDefaultTranscript},
     traits::ByteConversion,
 };
+use rand_chacha::{rand_core::SeedableRng, ChaCha20Rng};
 use sha3::{Digest, Keccak256};
 
-pub struct DefaultTranscript<F: IsField> {
+pub struct DefaultTranscript<F: HasDefaultTranscript> {
     hasher: Keccak256,
     phantom: PhantomData<F>,
 }
 
 impl<F> DefaultTranscript<F>
 where
-    F: IsField,
+    F: HasDefaultTranscript,
     FieldElement<F>: ByteConversion,
 {
     pub fn new(data: &[u8]) -> Self {
@@ -36,7 +37,7 @@ where
 
 impl<F> Default for DefaultTranscript<F>
 where
-    F: IsField,
+    F: HasDefaultTranscript,
     FieldElement<F>: ByteConversion,
 {
     fn default() -> Self {
@@ -46,7 +47,7 @@ where
 
 impl<F> IsTranscript<F> for DefaultTranscript<F>
 where
-    F: IsField,
+    F: HasDefaultTranscript,
     FieldElement<F>: ByteConversion,
 {
     fn append_bytes(&mut self, new_bytes: &[u8]) {
@@ -62,7 +63,8 @@ where
     }
 
     fn sample_field_element(&mut self) -> FieldElement<F> {
-        FieldElement::from_bytes_be(&self.sample()).unwrap()
+        let mut rng = <ChaCha20Rng as SeedableRng>::from_seed(self.sample());
+        F::get_random_field_element_from_rng(&mut rng)
     }
 
     fn sample_u64(&mut self, upper_bound: u64) -> u64 {
@@ -74,7 +76,6 @@ where
 mod tests {
     use super::*;
 
-    extern crate alloc;
     use alloc::vec::Vec;
     use lambdaworks_math::elliptic_curve::short_weierstrass::curves::bls12_381::default_types::FrField;
 

math/Cargo.toml

@@ -17,6 +17,7 @@ serde_json = { version = "1.0", default-features = false, features = [
 proptest = { version = "1.1.0", optional = true }
 winter-math = { package = "winter-math", version = "0.6.4", default-features = false, optional = true }
 miden-core = { package = "miden-core", version = "0.7", default-features = false, optional = true }
+rand = { version = "0.8.5", default-features = false }
 
 # rayon
 rayon = { version = "1.7", optional = true }
@@ -28,11 +29,9 @@ objc = { version = "0.2.7", optional = true }
 # cuda
 cudarc = { version = "0.9.7", optional = true }
 
-
 lambdaworks-gpu = { workspace = true, optional = true }
 
 [dev-dependencies]
-rand = { version = "0.8.5", features = ["std"] }
 rand_chacha = "0.3.1"
 criterion = "0.5.1"
 const-random = "0.1.15"
@@ -41,6 +40,8 @@ proptest = "1.1.0"
 pprof = { version = "0.13.0", features = ["criterion", "flamegraph"] }
 p3-baby-bear = { git = "https://github.com/Plonky3/Plonky3" }
 p3-field = { git = "https://github.com/Plonky3/Plonky3" }
+rand = { version = "0.8.5", features = ["std"] }
+
 [features]
 default = ["parallel", "std"]
 std = ["alloc", "serde?/std", "serde_json?/std"]
@@ -52,6 +53,7 @@ proptest = ["dep:proptest"]
 winter_compatibility = ["winter-math", "miden-core"]
 instruments = []
 
+
 # gpu
 metal = [
     "dep:metal",
@@ -61,6 +63,9 @@ metal = [
 ]
 cuda = ["dep:cudarc", "dep:lambdaworks-gpu"]
 
+[target.wasm32-unknown-unknown.dependencies]
+getrandom = { version = "0.2.15", features = ["js"] }
+
 [[bench]]
 name = "criterion_elliptic_curve"
 harness = false

math/src/field/fields/fft_friendly/quartic_babybear.rs

@@ -2,7 +2,7 @@ use crate::field::{
     element::FieldElement,
     errors::FieldError,
     fields::fft_friendly::babybear::Babybear31PrimeField,
-    traits::{IsFFTField, IsField, IsSubFieldOf},
+    traits::{HasDefaultTranscript, IsFFTField, IsField, IsSubFieldOf},
 };
 
 use crate::traits::ByteConversion;
@@ -330,6 +330,39 @@ impl IsFFTField for Degree4BabyBearExtensionField {
     ];
 }
 
+impl HasDefaultTranscript for Degree4BabyBearExtensionField {
+    fn get_random_field_element_from_rng(rng: &mut impl rand::Rng) -> FieldElement<Self> {
+        //Babybear Prime p = 2^31 - 2^27 + 1
+        const MODULUS: u64 = 2013265921;
+
+        //Babybear prime needs 31 bits and is represented with 32 bits.
+        //The mask is used to remove the first bit.
+        const MASK: u64 = 0x7FFF_FFFF;
+
+        let mut sample = [0u8; 8];
+
+        let mut coeffs = [
+            FieldElement::from(0u64),
+            FieldElement::from(0u64),
+            FieldElement::from(0u64),
+            FieldElement::from(0u64),
+        ];
+
+        for coeff in &mut coeffs {
+            loop {
+                rng.fill(&mut sample);
+                let int_sample = u64::from_be_bytes(sample) & MASK;
+                if int_sample < MODULUS {
+                    *coeff = FieldElement::from(int_sample);
+                    break;
+                }
+            }
+        }
+
+        FieldElement::<Self>::new(coeffs)
+    }
+}
+
 #[cfg(test)]
 mod tests {
     use super::*;

math/src/field/fields/montgomery_backed_prime_fields.rs

@@ -1,6 +1,6 @@
 use crate::field::element::FieldElement;
 use crate::field::errors::FieldError;
-use crate::field::traits::IsPrimeField;
+use crate::field::traits::{HasDefaultTranscript, IsPrimeField};
 #[cfg(feature = "alloc")]
 use crate::traits::AsBytes;
 use crate::traits::ByteConversion;
@@ -385,6 +385,47 @@ where
     }
 }
 
+impl<M, const NUM_LIMBS: usize> HasDefaultTranscript for MontgomeryBackendPrimeField<M, NUM_LIMBS>
+where
+    M: IsModulus<UnsignedInteger<NUM_LIMBS>> + Clone + Debug,
+{
+    /// # Panics
+    ///
+    /// This function will panic if NUM_LIMBS is greater than 6.
+    fn get_random_field_element_from_rng(
+        rng: &mut impl rand::Rng,
+    ) -> FieldElement<MontgomeryBackendPrimeField<M, NUM_LIMBS>> {
+        let mut buffer = [0u8; 6 * 8];
+        let first_non_zero_limb_index = M::MODULUS
+            .limbs
+            .iter()
+            .position(|&x| x != 0)
+            .expect("modulus should be non-zero");
+        let mask = u64::MAX >> M::MODULUS.limbs[first_non_zero_limb_index].leading_zeros();
+
+        let bits_start_idx = first_non_zero_limb_index * 8;
+        let bits_end_idx = NUM_LIMBS * 8;
+        let mut uint_sample;
+
+        loop {
+            let sample_bytes = &mut buffer[bits_start_idx..bits_end_idx];
+            rng.fill(sample_bytes);
+
+            uint_sample = UnsignedInteger::from_bytes_be(&buffer).unwrap();
+
+            uint_sample.limbs[first_non_zero_limb_index] &= mask;
+
+            if uint_sample < M::MODULUS {
+                break;
+            }
+        }
+
+        FieldElement::new(MontgomeryBackendPrimeField::<M, NUM_LIMBS>::from_base_type(
+            uint_sample,
+        ))
+    }
+}
+
 #[cfg(test)]
 mod tests_u384_prime_fields {
     use crate::field::element::FieldElement;
@@ -393,13 +434,17 @@ mod tests_u384_prime_fields {
     use crate::field::fields::montgomery_backed_prime_fields::{
         IsModulus, U256PrimeField, U384PrimeField,
     };
+    use crate::field::traits::HasDefaultTranscript;
     use crate::field::traits::IsField;
     use crate::field::traits::IsPrimeField;
     #[cfg(feature = "alloc")]
     use crate::traits::ByteConversion;
     use crate::unsigned_integer::element::U384;
     use crate::unsigned_integer::element::{UnsignedInteger, U256};
 
+    use rand::Rng;
+    use rand_chacha::{rand_core::SeedableRng, ChaCha20Rng};
+
     #[derive(Clone, Debug)]
     struct U384Modulus23;
     impl IsModulus<U384> for U384Modulus23 {
@@ -644,6 +689,48 @@ mod tests_u384_prime_fields {
         assert_eq!(-&zero, zero);
     }
 
+    #[test]
+    fn test_random_field_element_from_rng_0() {
+        // This seed generates a sample that is less than the modulus;
+        let mut rng = <ChaCha20Rng as SeedableRng>::from_seed([1; 32]);
+        let mut expected_rng = rng.clone();
+
+        let mut buffer = [0u8; 48];
+        let sample_bytes = &mut buffer[40..];
+        expected_rng.fill(sample_bytes);
+
+        let mut expected_uint = UnsignedInteger::from_bytes_be(&buffer).unwrap();
+
+        expected_uint.limbs[5] &= 31_u64;
+
+        let expected = FieldElement::new(U384F23::from_base_type(expected_uint));
+
+        let result = U384F23::get_random_field_element_from_rng(&mut rng);
+
+        assert_eq!(result, expected);
+    }
+
+    #[test]
+    fn test_random_field_element_from_rng_1() {
+        // This seed generates a sample that is grater than the modulus;
+        let mut rng = <ChaCha20Rng as SeedableRng>::from_seed([5; 32]);
+        let mut expected_rng = rng.clone();
+
+        let mut buffer = [0u8; 48];
+        let sample_bytes = &mut buffer[40..];
+        expected_rng.fill(sample_bytes);
+
+        let mut expected_uint = UnsignedInteger::from_bytes_be(&buffer).unwrap();
+
+        expected_uint.limbs[5] &= 31_u64;
+
+        let expected = FieldElement::new(U384F23::from_base_type(expected_uint));
+
+        let result = U384F23::get_random_field_element_from_rng(&mut rng);
+
+        assert_ne!(result, expected);
+    }
+
     // FP1
     #[derive(Clone, Debug)]
     struct U384ModulusP1;
@@ -788,12 +875,15 @@ mod tests_u256_prime_fields {
     use crate::field::element::FieldElement;
     use crate::field::errors::FieldError;
     use crate::field::fields::montgomery_backed_prime_fields::{IsModulus, U256PrimeField};
+    use crate::field::traits::HasDefaultTranscript;
     use crate::field::traits::IsField;
     use crate::field::traits::IsPrimeField;
     #[cfg(feature = "alloc")]
     use crate::traits::ByteConversion;
     use crate::unsigned_integer::element::U256;
     use crate::unsigned_integer::element::{UnsignedInteger, U64};
+    use rand::Rng;
+    use rand_chacha::{rand_core::SeedableRng, ChaCha20Rng};
 
     use super::U64PrimeField;
 
@@ -992,7 +1082,48 @@ mod tests_u256_prime_fields {
         assert_eq!(-&zero, zero);
     }
 
-    // FP1
+    #[test]
+    fn test_random_field_element_from_rng_0() {
+        // This seed generates a sample that is less than the modulus;
+        let mut rng = <ChaCha20Rng as SeedableRng>::from_seed([1; 32]);
+        let mut expected_rng = rng.clone();
+
+        let mut buffer = [0u8; 48];
+        let sample_bytes = &mut buffer[24..32];
+        expected_rng.fill(sample_bytes);
+
+        let mut expected_uint = UnsignedInteger::from_bytes_be(&buffer).unwrap();
+
+        expected_uint.limbs[3] &= 31_u64;
+
+        let expected = FieldElement::new(U256F29::from_base_type(expected_uint));
+
+        let result = U256F29::get_random_field_element_from_rng(&mut rng);
+
+        assert_eq!(result, expected);
+    }
+
+    #[test]
+    fn test_random_field_element_from_rng_1() {
+        // This seed generates a sample that is grater than the modulus;
+        let mut rng = <ChaCha20Rng as SeedableRng>::from_seed([5; 32]);
+        let mut expected_rng = rng.clone();
+
+        let mut buffer = [0u8; 48];
+        let sample_bytes = &mut buffer[24..32];
+        expected_rng.fill(sample_bytes);
+
+        let mut expected_uint = UnsignedInteger::from_bytes_be(&buffer).unwrap();
+
+        expected_uint.limbs[3] &= 31_u64;
+
+        let expected = FieldElement::new(U256F29::from_base_type(expected_uint));
+
+        let result = U256F29::get_random_field_element_from_rng(&mut rng);
+
+        assert_ne!(result, expected);
+    }
+
     #[derive(Clone, Debug)]
     struct U256ModulusP1;
     impl IsModulus<U256> for U256ModulusP1 {

math/src/field/fields/u64_prime_field.rs

@@ -4,7 +4,7 @@ use crate::errors::CreationError;
 use crate::errors::DeserializationError;
 use crate::field::element::FieldElement;
 use crate::field::errors::FieldError;
-use crate::field::traits::{IsFFTField, IsField, IsPrimeField};
+use crate::field::traits::{HasDefaultTranscript, IsFFTField, IsField, IsPrimeField};
 use crate::traits::{ByteConversion, Deserializable};
 
 /// Type representing prime fields over unsigned 64-bit integers.
@@ -153,6 +153,23 @@ impl<const MODULUS: u64> Deserializable for FieldElement<U64PrimeField<MODULUS>>
     }
 }
 
+impl<const MODULUS: u64> HasDefaultTranscript for U64PrimeField<MODULUS> {
+    fn get_random_field_element_from_rng(rng: &mut impl rand::Rng) -> FieldElement<Self> {
+        let mask = u64::MAX >> MODULUS.leading_zeros();
+        let mut sample = [0u8; 8];
+        let field;
+        loop {
+            rng.fill(&mut sample);
+            let int_sample = u64::from_be_bytes(sample) & mask;
+            if int_sample < MODULUS {
+                field = FieldElement::from(int_sample);
+                break;
+            }
+        }
+        field
+    }
+}
+
 #[cfg(test)]
 mod tests {
     use super::*;

math/src/field/traits.rs

@@ -282,3 +282,10 @@ pub trait IsPrimeField: IsField {
         Some((x, neg_x))
     }
 }
+
+/// This trait is necessary for sampling a random field element with a uniform distribution.
+pub trait HasDefaultTranscript: IsField {
+    /// This function should truncates the sampled bits to the quantity required to represent the order of the base field
+    /// and returns a field element.
+    fn get_random_field_element_from_rng(rng: &mut impl rand::Rng) -> FieldElement<Self>;
+}