NIMFS-centric API refactor for multifolding impl

[CPerezz]

This is a proposal for the new API of the Hypernova/multifolding current impl.

The idea is that the API is NIMFS-centric. That means, the end user only needs to deal for now with CCS(this can be prevented) and the NIMFS object.

The rest of interactions with CCCS & LCCCS have been "masked" or at the very least, is not necessary to import these structs to have full functionallity.

The current workflow that this API brings can be clearly seen here:

let ccs = CCS::<G>::from_r1cs(r1cs_shape);
  let mles = ccs.matrix_mles();
  let mut nimfs = NIMFS::init(
    &mut rng,
    ccs,
    mles,
    // Note we constructed z on the fly with the previously-used witness.
    vec![
      G::Scalar::ONE,
      G::Scalar::from(3u64),
      G::Scalar::from(35u64),
    ],
  );

  // Now, the NIMFS should satisfy correctly as we have inputed valid starting inpuits for the first LCCCS contained instance:
  assert!(nimfs.is_sat().is_ok());

  // Now let's create a valid CCCS instance and fold it:
  let valid_cccs = nimfs.gen_cccs(vec![
    G::Scalar::ONE,
    G::Scalar::from(2u64),
    G::Scalar::from(15u64),
  ]);
  nimfs.fold(&mut rng, valid_cccs);

  // Since the instance was correct, the NIMFS should still be satisfied.
  assert!(nimfs.is_sat().is_ok());

  // Now let's create am invalid CCCS instance and fold it:
  let invalid_cccs = nimfs.gen_cccs(vec![
    G::Scalar::ONE,
    G::Scalar::from(5u64),
    G::Scalar::from(55u64),
  ]);
  nimfs.fold(&mut rng, invalid_cccs);

  // Since the instance was wrong, the NIMFS should not be satisfied correctly.
  assert!(nimfs.is_sat().is_err());

This is part of a test, located in /~https://github.com/privacy-scaling-explorations/Nova/blob/change%2FNIMFS_centric_API/tests/nimfs.rs

The idea is that the user needs to type as less as possible in order to get a fold done.

I would appreciate some feedback on this @arnaucube @oskarth @asn-d6

[oskarth]

I'll review once there's a description of proposed changes and rationale, short is fine!

[oskarth]

Overall direction makes sense to me! Left some questions and comments

[oskarth]

What is this?

[CPerezz]

Ohh.. Leftover!
Fixed in 52f6a62

[oskarth]

This sentence seems incomplete

[CPerezz]

Fixed in 52f6a62

[oskarth]

Suggested change

	/// Generates a new CCCS given a reference to it's original CCS repr & the multilinear extension of it's matrixes.
	/// Generates a new CCCS given a reference to its original CCS representation and the multilinear extension of its matrices.

[CPerezz]

Fixed in 52f6a62

[oskarth]

Calling this just CCCS seems a bit weird to me since it stands for "Committed Customizable Constraint Systems". Should this be CCCS Shape or Instance instead?

[CPerezz]

Not sure it is a big deal though. In any case, I can definitely change it. What do the rest think?

[CPerezz]

I actually think is better to have shorter names. Also, we have always called it CCCS indeed in our calls. So that's why I considered a better alternative.

[oskarth]

I guess point would be to stay consistent with code base, but I don't feel super strongly about it, can see both sides

[oskarth]

It seems like it takes more than just ccs

[CPerezz]

Fixed in 52f6a62

[oskarth]

Why is this signature so different?

[CPerezz]

Because now z1 is hold inside the LCCCS instance inside the NIMFS instance. Hence, there's no need to pass it!

[oskarth]

Maybe can add this as a comment?

[asn-d6]

Some nitpicky thoughts on the APi:

• This let mles = ccs.matrix_mles(); seems a bit needless. Why would the API user need to know how to get the MLEs? Why can't the object the initial NIMFS object have the MLEs inside of it, instead of having to manually compute them? Alternatively, why don't you call matrix_mles() inside init()?
• This gen_cccs() function is test-only right? Or is it supposed to be used in the real world as well? If so, maybe a better name would be welcome, since "gen" reminds me of "generate random thing".

[CPerezz]

This let mles = ccs.matrix_mles(); seems a bit needless. Why would the API user need to know how to get the MLEs? Why can't the object the initial NIMFS object have the MLEs inside of it, instead of having to manually compute them? Alternatively, why don't you call matrix_mles() inside init()?

This is nice! Thanks! I did not see it though. Will only pass the CCS then and compute the MLEs on the fly as they just need to be computed once.

This gen_cccs() function is test-only right? Or is it supposed to be used in the real world as well? If so, maybe a better name would be welcome, since "gen" reminds me of "generate random thing".

I don't have any strong feelings on this. So changing it.
Addressed in 6d642dd. @asn-d6

[CPerezz]

This is ready to be merged with the rebase done and all comments addressed.
cc: @arnaucube @asn-d6 @oskarth

[arnaucube]

Partial review done, nice work with the PR ^^
I have pending to review the src/ccs/multifolding.rs and tests/nimfs.rs files, I hope to have some time this night to do it.

[arnaucube]

How do you feel about moving let mles = ccs.matrix_mles(); inside this method and avoiding the need to pass the MultilinearPolynomials as input in this method? Or the css_matrix_mle is carried from other upper level logic and here is just reusing that already computed data?

[CPerezz]

Or the css_matrix_mle is carried from other upper level logic and here is just reusing that already computed data?

That's exactly what happens. Ideally, I'll have the mles (as well as the CCS) serialized or given by the wire. So I don't want to spend time computing MLES. Specially since the matrixes are sparse. Which has the idea to minimize memory usage.

[oskarth]

LGTM!

[oskarth]

I guess point would be to stay consistent with code base, but I don't feel super strongly about it, can see both sides

[oskarth]

Ok let's do in follow up PR so we don't forget it

[oskarth]

Maybe can add this as a comment?

[arnaucube]

regarding src/ccs/multifolding.rs.
I find interesting the idea of having the running LCCCS data as a NIMFS structure parameter, since it feels more close to the idea of having a running instance which is folded with new instances on each iteration.

One thing to note though, is that there can be multiple LCCCS instances and multiple CCCS instances being folded in a single iteration.

[arnaucube]

Maybe the instance & witness parts should be separated? in a similar way that in [multifolding-poc]((/~https://github.com/privacy-scaling-explorations/multifolding-poc/tree/d118ea56418dadde005b5854b5cbbf38a686d24d/src/multifolding.rs#L202), since later the prover has both, but the verifier does not have the witness part of the folding.

[CPerezz]

hmmmm I can definitely do that. I just went that way as we were folding both things at the end and is simpler to write and forces us to hold less attributes.

In any case, I can change it if you think is better.

[arnaucube]

I think that this will be needed, since the verifier does not have the witness part of z. But we can do it in a future iteration, filled #46 to keep track of it.

[CPerezz]

One thing to note though, is that there can be multiple LCCCS instances and multiple CCCS instances being folded in a single iteration.

I know.
That's why #37 was raised. The plan was to stabilize firs the API and then upgrade to N->1

[arnaucube]

LGTM 😸

Regarding

That's why #37 was raised. The plan was to stabilize firs the API and then upgrade to N->1

Make sense, when doing the n-to-1 fold we will need to check how to adapt the running instance to multiple of them (eg. check if it makes sense to have an array of LCCCS in the NIMFS data structure or to just pass them as parameter together with the CCCS instances). I've left a comment to #37 to have it in mind then.

[arnaucube]

maybe z2 in the comment should match z in the code now that has been updated (or incoming_z if finally named that way as mentioned in #41 (comment) )

[CPerezz]

This leaves pending #46 as I haven't found a good enough API abstraction and I don't want to block the merge anymore.

[oskarth]

Yes let's merge this and other one