diff --git a/backend/plonk/bls12-377/prove.go b/backend/plonk/bls12-377/prove.go index a6833fe0c9..b2a9c29b6f 100644 --- a/backend/plonk/bls12-377/prove.go +++ b/backend/plonk/bls12-377/prove.go @@ -508,25 +508,32 @@ func Prove(spr *cs.SparseR1CS, pk *ProvingKey, fullWitness witness.Witness, opts <-computeFoldedH // Batch open the first list of polynomials + polysQcp := coefficients(pk.trace.Qcp) + polysToOpen := make([][]fr.Element, 7+len(polysQcp)) + copy(polysToOpen[7:], polysQcp) + // offset := len(polysQcp) + polysToOpen[0] = foldedH + polysToOpen[1] = linearizedPolynomialCanonical + polysToOpen[2] = bwliop.Coefficients()[:bwliop.BlindedSize()] + polysToOpen[3] = bwriop.Coefficients()[:bwriop.BlindedSize()] + polysToOpen[4] = bwoiop.Coefficients()[:bwoiop.BlindedSize()] + polysToOpen[5] = pk.trace.S1.Coefficients() + polysToOpen[6] = pk.trace.S2.Coefficients() + + digestsToOpen := make([]curve.G1Affine, len(pk.Vk.Qcp)+7) + copy(digestsToOpen[7:], pk.Vk.Qcp) + // offset = len(pk.Vk.Qcp) + digestsToOpen[0] = foldedHDigest + digestsToOpen[1] = linearizedPolynomialDigest + digestsToOpen[2] = proof.LRO[0] + digestsToOpen[3] = proof.LRO[1] + digestsToOpen[4] = proof.LRO[2] + digestsToOpen[5] = pk.Vk.S[0] + digestsToOpen[6] = pk.Vk.S[1] + proof.BatchedProof, err = kzg.BatchOpenSinglePoint( - append(coefficients(pk.trace.Qcp), - foldedH, - linearizedPolynomialCanonical, - bwliop.Coefficients()[:bwliop.BlindedSize()], - bwriop.Coefficients()[:bwriop.BlindedSize()], - bwoiop.Coefficients()[:bwoiop.BlindedSize()], - pk.trace.S1.Coefficients(), - pk.trace.S2.Coefficients(), - ), - append(pk.Vk.Qcp, - foldedHDigest, - linearizedPolynomialDigest, - proof.LRO[0], - proof.LRO[1], - proof.LRO[2], - pk.Vk.S[0], - pk.Vk.S[1], - ), + polysToOpen, + digestsToOpen, zeta, hFunc, pk.Kzg, diff --git a/backend/plonk/bls12-377/verify.go b/backend/plonk/bls12-377/verify.go index af820983d0..c28a894d02 100644 --- a/backend/plonk/bls12-377/verify.go +++ b/backend/plonk/bls12-377/verify.go @@ -39,7 +39,7 @@ var ( ) func Verify(proof *Proof, vk *VerifyingKey, publicWitness fr.Vector) error { - log := logger.Logger().With().Str("curve", "bls12_377").Str("backend", "plonk").Logger() + log := logger.Logger().With().Str("curve", "bls12-377").Str("backend", "plonk").Logger() start := time.Now() // pick a hash function to derive the challenge (the same as in the prover) @@ -137,16 +137,13 @@ func Verify(proof *Proof, vk *VerifyingKey, publicWitness fr.Vector) error { zu := proof.ZShiftedOpening.ClaimedValue - qC := make([]fr.Element, len(proof.Bsb22Commitments)) - copy(qC, proof.BatchedProof.ClaimedValues) - claimedValues := proof.BatchedProof.ClaimedValues[len(proof.Bsb22Commitments):] - claimedQuotient := claimedValues[0] - linearizedPolynomialZeta := claimedValues[1] - l := claimedValues[2] - r := claimedValues[3] - o := claimedValues[4] - s1 := claimedValues[5] - s2 := claimedValues[6] + claimedQuotient := proof.BatchedProof.ClaimedValues[0] + linearizedPolynomialZeta := proof.BatchedProof.ClaimedValues[1] + l := proof.BatchedProof.ClaimedValues[2] + r := proof.BatchedProof.ClaimedValues[3] + o := proof.BatchedProof.ClaimedValues[4] + s1 := proof.BatchedProof.ClaimedValues[5] + s2 := proof.BatchedProof.ClaimedValues[6] _s1.Mul(&s1, &beta).Add(&_s1, &l).Add(&_s1, &gamma) // (l(ζ)+β*s1(ζ)+γ) _s2.Mul(&s2, &beta).Add(&_s2, &r).Add(&_s2, &gamma) // (r(ζ)+β*s2(ζ)+γ) @@ -220,6 +217,8 @@ func Verify(proof *Proof, vk *VerifyingKey, publicWitness fr.Vector) error { vk.S[2], proof.Z, // second & third part ) + qC := make([]fr.Element, len(proof.Bsb22Commitments)) + copy(qC, proof.BatchedProof.ClaimedValues[7:]) scalars := append(qC, l, r, rl, o, one, /* TODO Perf @Tabaie Consider just adding Qk instead */ // first part _s1, _s2, // second & third part @@ -229,15 +228,17 @@ func Verify(proof *Proof, vk *VerifyingKey, publicWitness fr.Vector) error { } // Fold the first proof - foldedProof, foldedDigest, err := kzg.FoldProof(append(vk.Qcp, - foldedH, - linearizedPolynomialDigest, - proof.LRO[0], - proof.LRO[1], - proof.LRO[2], - vk.S[0], - vk.S[1], - ), + digestsToFold := make([]curve.G1Affine, len(vk.Qcp)+7) + copy(digestsToFold[7:], vk.Qcp) + digestsToFold[0] = foldedH + digestsToFold[1] = linearizedPolynomialDigest + digestsToFold[2] = proof.LRO[0] + digestsToFold[3] = proof.LRO[1] + digestsToFold[4] = proof.LRO[2] + digestsToFold[5] = vk.S[0] + digestsToFold[6] = vk.S[1] + foldedProof, foldedDigest, err := kzg.FoldProof( + digestsToFold, &proof.BatchedProof, zeta, hFunc, diff --git a/backend/plonk/bls12-381/prove.go b/backend/plonk/bls12-381/prove.go index 69bfbeb4a9..b5972e36d3 100644 --- a/backend/plonk/bls12-381/prove.go +++ b/backend/plonk/bls12-381/prove.go @@ -508,25 +508,32 @@ func Prove(spr *cs.SparseR1CS, pk *ProvingKey, fullWitness witness.Witness, opts <-computeFoldedH // Batch open the first list of polynomials + polysQcp := coefficients(pk.trace.Qcp) + polysToOpen := make([][]fr.Element, 7+len(polysQcp)) + copy(polysToOpen[7:], polysQcp) + // offset := len(polysQcp) + polysToOpen[0] = foldedH + polysToOpen[1] = linearizedPolynomialCanonical + polysToOpen[2] = bwliop.Coefficients()[:bwliop.BlindedSize()] + polysToOpen[3] = bwriop.Coefficients()[:bwriop.BlindedSize()] + polysToOpen[4] = bwoiop.Coefficients()[:bwoiop.BlindedSize()] + polysToOpen[5] = pk.trace.S1.Coefficients() + polysToOpen[6] = pk.trace.S2.Coefficients() + + digestsToOpen := make([]curve.G1Affine, len(pk.Vk.Qcp)+7) + copy(digestsToOpen[7:], pk.Vk.Qcp) + // offset = len(pk.Vk.Qcp) + digestsToOpen[0] = foldedHDigest + digestsToOpen[1] = linearizedPolynomialDigest + digestsToOpen[2] = proof.LRO[0] + digestsToOpen[3] = proof.LRO[1] + digestsToOpen[4] = proof.LRO[2] + digestsToOpen[5] = pk.Vk.S[0] + digestsToOpen[6] = pk.Vk.S[1] + proof.BatchedProof, err = kzg.BatchOpenSinglePoint( - append(coefficients(pk.trace.Qcp), - foldedH, - linearizedPolynomialCanonical, - bwliop.Coefficients()[:bwliop.BlindedSize()], - bwriop.Coefficients()[:bwriop.BlindedSize()], - bwoiop.Coefficients()[:bwoiop.BlindedSize()], - pk.trace.S1.Coefficients(), - pk.trace.S2.Coefficients(), - ), - append(pk.Vk.Qcp, - foldedHDigest, - linearizedPolynomialDigest, - proof.LRO[0], - proof.LRO[1], - proof.LRO[2], - pk.Vk.S[0], - pk.Vk.S[1], - ), + polysToOpen, + digestsToOpen, zeta, hFunc, pk.Kzg, diff --git a/backend/plonk/bls12-381/verify.go b/backend/plonk/bls12-381/verify.go index f22da3bc6e..3124e92c5e 100644 --- a/backend/plonk/bls12-381/verify.go +++ b/backend/plonk/bls12-381/verify.go @@ -39,7 +39,7 @@ var ( ) func Verify(proof *Proof, vk *VerifyingKey, publicWitness fr.Vector) error { - log := logger.Logger().With().Str("curve", "bls12_381").Str("backend", "plonk").Logger() + log := logger.Logger().With().Str("curve", "bls12-381").Str("backend", "plonk").Logger() start := time.Now() // pick a hash function to derive the challenge (the same as in the prover) @@ -137,16 +137,13 @@ func Verify(proof *Proof, vk *VerifyingKey, publicWitness fr.Vector) error { zu := proof.ZShiftedOpening.ClaimedValue - qC := make([]fr.Element, len(proof.Bsb22Commitments)) - copy(qC, proof.BatchedProof.ClaimedValues) - claimedValues := proof.BatchedProof.ClaimedValues[len(proof.Bsb22Commitments):] - claimedQuotient := claimedValues[0] - linearizedPolynomialZeta := claimedValues[1] - l := claimedValues[2] - r := claimedValues[3] - o := claimedValues[4] - s1 := claimedValues[5] - s2 := claimedValues[6] + claimedQuotient := proof.BatchedProof.ClaimedValues[0] + linearizedPolynomialZeta := proof.BatchedProof.ClaimedValues[1] + l := proof.BatchedProof.ClaimedValues[2] + r := proof.BatchedProof.ClaimedValues[3] + o := proof.BatchedProof.ClaimedValues[4] + s1 := proof.BatchedProof.ClaimedValues[5] + s2 := proof.BatchedProof.ClaimedValues[6] _s1.Mul(&s1, &beta).Add(&_s1, &l).Add(&_s1, &gamma) // (l(ζ)+β*s1(ζ)+γ) _s2.Mul(&s2, &beta).Add(&_s2, &r).Add(&_s2, &gamma) // (r(ζ)+β*s2(ζ)+γ) @@ -220,6 +217,8 @@ func Verify(proof *Proof, vk *VerifyingKey, publicWitness fr.Vector) error { vk.S[2], proof.Z, // second & third part ) + qC := make([]fr.Element, len(proof.Bsb22Commitments)) + copy(qC, proof.BatchedProof.ClaimedValues[7:]) scalars := append(qC, l, r, rl, o, one, /* TODO Perf @Tabaie Consider just adding Qk instead */ // first part _s1, _s2, // second & third part @@ -229,15 +228,17 @@ func Verify(proof *Proof, vk *VerifyingKey, publicWitness fr.Vector) error { } // Fold the first proof - foldedProof, foldedDigest, err := kzg.FoldProof(append(vk.Qcp, - foldedH, - linearizedPolynomialDigest, - proof.LRO[0], - proof.LRO[1], - proof.LRO[2], - vk.S[0], - vk.S[1], - ), + digestsToFold := make([]curve.G1Affine, len(vk.Qcp)+7) + copy(digestsToFold[7:], vk.Qcp) + digestsToFold[0] = foldedH + digestsToFold[1] = linearizedPolynomialDigest + digestsToFold[2] = proof.LRO[0] + digestsToFold[3] = proof.LRO[1] + digestsToFold[4] = proof.LRO[2] + digestsToFold[5] = vk.S[0] + digestsToFold[6] = vk.S[1] + foldedProof, foldedDigest, err := kzg.FoldProof( + digestsToFold, &proof.BatchedProof, zeta, hFunc, diff --git a/backend/plonk/bls24-315/prove.go b/backend/plonk/bls24-315/prove.go index 69ef7228c1..39e11185fa 100644 --- a/backend/plonk/bls24-315/prove.go +++ b/backend/plonk/bls24-315/prove.go @@ -508,25 +508,32 @@ func Prove(spr *cs.SparseR1CS, pk *ProvingKey, fullWitness witness.Witness, opts <-computeFoldedH // Batch open the first list of polynomials + polysQcp := coefficients(pk.trace.Qcp) + polysToOpen := make([][]fr.Element, 7+len(polysQcp)) + copy(polysToOpen[7:], polysQcp) + // offset := len(polysQcp) + polysToOpen[0] = foldedH + polysToOpen[1] = linearizedPolynomialCanonical + polysToOpen[2] = bwliop.Coefficients()[:bwliop.BlindedSize()] + polysToOpen[3] = bwriop.Coefficients()[:bwriop.BlindedSize()] + polysToOpen[4] = bwoiop.Coefficients()[:bwoiop.BlindedSize()] + polysToOpen[5] = pk.trace.S1.Coefficients() + polysToOpen[6] = pk.trace.S2.Coefficients() + + digestsToOpen := make([]curve.G1Affine, len(pk.Vk.Qcp)+7) + copy(digestsToOpen[7:], pk.Vk.Qcp) + // offset = len(pk.Vk.Qcp) + digestsToOpen[0] = foldedHDigest + digestsToOpen[1] = linearizedPolynomialDigest + digestsToOpen[2] = proof.LRO[0] + digestsToOpen[3] = proof.LRO[1] + digestsToOpen[4] = proof.LRO[2] + digestsToOpen[5] = pk.Vk.S[0] + digestsToOpen[6] = pk.Vk.S[1] + proof.BatchedProof, err = kzg.BatchOpenSinglePoint( - append(coefficients(pk.trace.Qcp), - foldedH, - linearizedPolynomialCanonical, - bwliop.Coefficients()[:bwliop.BlindedSize()], - bwriop.Coefficients()[:bwriop.BlindedSize()], - bwoiop.Coefficients()[:bwoiop.BlindedSize()], - pk.trace.S1.Coefficients(), - pk.trace.S2.Coefficients(), - ), - append(pk.Vk.Qcp, - foldedHDigest, - linearizedPolynomialDigest, - proof.LRO[0], - proof.LRO[1], - proof.LRO[2], - pk.Vk.S[0], - pk.Vk.S[1], - ), + polysToOpen, + digestsToOpen, zeta, hFunc, pk.Kzg, diff --git a/backend/plonk/bls24-315/verify.go b/backend/plonk/bls24-315/verify.go index afa89fa0b6..81dc747e0b 100644 --- a/backend/plonk/bls24-315/verify.go +++ b/backend/plonk/bls24-315/verify.go @@ -39,7 +39,7 @@ var ( ) func Verify(proof *Proof, vk *VerifyingKey, publicWitness fr.Vector) error { - log := logger.Logger().With().Str("curve", "bls24_315").Str("backend", "plonk").Logger() + log := logger.Logger().With().Str("curve", "bls24-315").Str("backend", "plonk").Logger() start := time.Now() // pick a hash function to derive the challenge (the same as in the prover) @@ -137,16 +137,13 @@ func Verify(proof *Proof, vk *VerifyingKey, publicWitness fr.Vector) error { zu := proof.ZShiftedOpening.ClaimedValue - qC := make([]fr.Element, len(proof.Bsb22Commitments)) - copy(qC, proof.BatchedProof.ClaimedValues) - claimedValues := proof.BatchedProof.ClaimedValues[len(proof.Bsb22Commitments):] - claimedQuotient := claimedValues[0] - linearizedPolynomialZeta := claimedValues[1] - l := claimedValues[2] - r := claimedValues[3] - o := claimedValues[4] - s1 := claimedValues[5] - s2 := claimedValues[6] + claimedQuotient := proof.BatchedProof.ClaimedValues[0] + linearizedPolynomialZeta := proof.BatchedProof.ClaimedValues[1] + l := proof.BatchedProof.ClaimedValues[2] + r := proof.BatchedProof.ClaimedValues[3] + o := proof.BatchedProof.ClaimedValues[4] + s1 := proof.BatchedProof.ClaimedValues[5] + s2 := proof.BatchedProof.ClaimedValues[6] _s1.Mul(&s1, &beta).Add(&_s1, &l).Add(&_s1, &gamma) // (l(ζ)+β*s1(ζ)+γ) _s2.Mul(&s2, &beta).Add(&_s2, &r).Add(&_s2, &gamma) // (r(ζ)+β*s2(ζ)+γ) @@ -220,6 +217,8 @@ func Verify(proof *Proof, vk *VerifyingKey, publicWitness fr.Vector) error { vk.S[2], proof.Z, // second & third part ) + qC := make([]fr.Element, len(proof.Bsb22Commitments)) + copy(qC, proof.BatchedProof.ClaimedValues[7:]) scalars := append(qC, l, r, rl, o, one, /* TODO Perf @Tabaie Consider just adding Qk instead */ // first part _s1, _s2, // second & third part @@ -229,15 +228,17 @@ func Verify(proof *Proof, vk *VerifyingKey, publicWitness fr.Vector) error { } // Fold the first proof - foldedProof, foldedDigest, err := kzg.FoldProof(append(vk.Qcp, - foldedH, - linearizedPolynomialDigest, - proof.LRO[0], - proof.LRO[1], - proof.LRO[2], - vk.S[0], - vk.S[1], - ), + digestsToFold := make([]curve.G1Affine, len(vk.Qcp)+7) + copy(digestsToFold[7:], vk.Qcp) + digestsToFold[0] = foldedH + digestsToFold[1] = linearizedPolynomialDigest + digestsToFold[2] = proof.LRO[0] + digestsToFold[3] = proof.LRO[1] + digestsToFold[4] = proof.LRO[2] + digestsToFold[5] = vk.S[0] + digestsToFold[6] = vk.S[1] + foldedProof, foldedDigest, err := kzg.FoldProof( + digestsToFold, &proof.BatchedProof, zeta, hFunc, diff --git a/backend/plonk/bls24-317/prove.go b/backend/plonk/bls24-317/prove.go index 753b151b9c..5ec3131efc 100644 --- a/backend/plonk/bls24-317/prove.go +++ b/backend/plonk/bls24-317/prove.go @@ -508,25 +508,32 @@ func Prove(spr *cs.SparseR1CS, pk *ProvingKey, fullWitness witness.Witness, opts <-computeFoldedH // Batch open the first list of polynomials + polysQcp := coefficients(pk.trace.Qcp) + polysToOpen := make([][]fr.Element, 7+len(polysQcp)) + copy(polysToOpen[7:], polysQcp) + // offset := len(polysQcp) + polysToOpen[0] = foldedH + polysToOpen[1] = linearizedPolynomialCanonical + polysToOpen[2] = bwliop.Coefficients()[:bwliop.BlindedSize()] + polysToOpen[3] = bwriop.Coefficients()[:bwriop.BlindedSize()] + polysToOpen[4] = bwoiop.Coefficients()[:bwoiop.BlindedSize()] + polysToOpen[5] = pk.trace.S1.Coefficients() + polysToOpen[6] = pk.trace.S2.Coefficients() + + digestsToOpen := make([]curve.G1Affine, len(pk.Vk.Qcp)+7) + copy(digestsToOpen[7:], pk.Vk.Qcp) + // offset = len(pk.Vk.Qcp) + digestsToOpen[0] = foldedHDigest + digestsToOpen[1] = linearizedPolynomialDigest + digestsToOpen[2] = proof.LRO[0] + digestsToOpen[3] = proof.LRO[1] + digestsToOpen[4] = proof.LRO[2] + digestsToOpen[5] = pk.Vk.S[0] + digestsToOpen[6] = pk.Vk.S[1] + proof.BatchedProof, err = kzg.BatchOpenSinglePoint( - append(coefficients(pk.trace.Qcp), - foldedH, - linearizedPolynomialCanonical, - bwliop.Coefficients()[:bwliop.BlindedSize()], - bwriop.Coefficients()[:bwriop.BlindedSize()], - bwoiop.Coefficients()[:bwoiop.BlindedSize()], - pk.trace.S1.Coefficients(), - pk.trace.S2.Coefficients(), - ), - append(pk.Vk.Qcp, - foldedHDigest, - linearizedPolynomialDigest, - proof.LRO[0], - proof.LRO[1], - proof.LRO[2], - pk.Vk.S[0], - pk.Vk.S[1], - ), + polysToOpen, + digestsToOpen, zeta, hFunc, pk.Kzg, diff --git a/backend/plonk/bls24-317/verify.go b/backend/plonk/bls24-317/verify.go index 3aa9661e80..a6a7479e08 100644 --- a/backend/plonk/bls24-317/verify.go +++ b/backend/plonk/bls24-317/verify.go @@ -39,7 +39,7 @@ var ( ) func Verify(proof *Proof, vk *VerifyingKey, publicWitness fr.Vector) error { - log := logger.Logger().With().Str("curve", "bls24_317").Str("backend", "plonk").Logger() + log := logger.Logger().With().Str("curve", "bls24-317").Str("backend", "plonk").Logger() start := time.Now() // pick a hash function to derive the challenge (the same as in the prover) @@ -137,16 +137,13 @@ func Verify(proof *Proof, vk *VerifyingKey, publicWitness fr.Vector) error { zu := proof.ZShiftedOpening.ClaimedValue - qC := make([]fr.Element, len(proof.Bsb22Commitments)) - copy(qC, proof.BatchedProof.ClaimedValues) - claimedValues := proof.BatchedProof.ClaimedValues[len(proof.Bsb22Commitments):] - claimedQuotient := claimedValues[0] - linearizedPolynomialZeta := claimedValues[1] - l := claimedValues[2] - r := claimedValues[3] - o := claimedValues[4] - s1 := claimedValues[5] - s2 := claimedValues[6] + claimedQuotient := proof.BatchedProof.ClaimedValues[0] + linearizedPolynomialZeta := proof.BatchedProof.ClaimedValues[1] + l := proof.BatchedProof.ClaimedValues[2] + r := proof.BatchedProof.ClaimedValues[3] + o := proof.BatchedProof.ClaimedValues[4] + s1 := proof.BatchedProof.ClaimedValues[5] + s2 := proof.BatchedProof.ClaimedValues[6] _s1.Mul(&s1, &beta).Add(&_s1, &l).Add(&_s1, &gamma) // (l(ζ)+β*s1(ζ)+γ) _s2.Mul(&s2, &beta).Add(&_s2, &r).Add(&_s2, &gamma) // (r(ζ)+β*s2(ζ)+γ) @@ -220,6 +217,8 @@ func Verify(proof *Proof, vk *VerifyingKey, publicWitness fr.Vector) error { vk.S[2], proof.Z, // second & third part ) + qC := make([]fr.Element, len(proof.Bsb22Commitments)) + copy(qC, proof.BatchedProof.ClaimedValues[7:]) scalars := append(qC, l, r, rl, o, one, /* TODO Perf @Tabaie Consider just adding Qk instead */ // first part _s1, _s2, // second & third part @@ -229,15 +228,17 @@ func Verify(proof *Proof, vk *VerifyingKey, publicWitness fr.Vector) error { } // Fold the first proof - foldedProof, foldedDigest, err := kzg.FoldProof(append(vk.Qcp, - foldedH, - linearizedPolynomialDigest, - proof.LRO[0], - proof.LRO[1], - proof.LRO[2], - vk.S[0], - vk.S[1], - ), + digestsToFold := make([]curve.G1Affine, len(vk.Qcp)+7) + copy(digestsToFold[7:], vk.Qcp) + digestsToFold[0] = foldedH + digestsToFold[1] = linearizedPolynomialDigest + digestsToFold[2] = proof.LRO[0] + digestsToFold[3] = proof.LRO[1] + digestsToFold[4] = proof.LRO[2] + digestsToFold[5] = vk.S[0] + digestsToFold[6] = vk.S[1] + foldedProof, foldedDigest, err := kzg.FoldProof( + digestsToFold, &proof.BatchedProof, zeta, hFunc, diff --git a/backend/plonk/bn254/prove.go b/backend/plonk/bn254/prove.go index 6cf1ef2dff..1302571166 100644 --- a/backend/plonk/bn254/prove.go +++ b/backend/plonk/bn254/prove.go @@ -508,25 +508,32 @@ func Prove(spr *cs.SparseR1CS, pk *ProvingKey, fullWitness witness.Witness, opts <-computeFoldedH // Batch open the first list of polynomials + polysQcp := coefficients(pk.trace.Qcp) + polysToOpen := make([][]fr.Element, 7+len(polysQcp)) + copy(polysToOpen[7:], polysQcp) + // offset := len(polysQcp) + polysToOpen[0] = foldedH + polysToOpen[1] = linearizedPolynomialCanonical + polysToOpen[2] = bwliop.Coefficients()[:bwliop.BlindedSize()] + polysToOpen[3] = bwriop.Coefficients()[:bwriop.BlindedSize()] + polysToOpen[4] = bwoiop.Coefficients()[:bwoiop.BlindedSize()] + polysToOpen[5] = pk.trace.S1.Coefficients() + polysToOpen[6] = pk.trace.S2.Coefficients() + + digestsToOpen := make([]curve.G1Affine, len(pk.Vk.Qcp)+7) + copy(digestsToOpen[7:], pk.Vk.Qcp) + // offset = len(pk.Vk.Qcp) + digestsToOpen[0] = foldedHDigest + digestsToOpen[1] = linearizedPolynomialDigest + digestsToOpen[2] = proof.LRO[0] + digestsToOpen[3] = proof.LRO[1] + digestsToOpen[4] = proof.LRO[2] + digestsToOpen[5] = pk.Vk.S[0] + digestsToOpen[6] = pk.Vk.S[1] + proof.BatchedProof, err = kzg.BatchOpenSinglePoint( - append(coefficients(pk.trace.Qcp), - foldedH, - linearizedPolynomialCanonical, - bwliop.Coefficients()[:bwliop.BlindedSize()], - bwriop.Coefficients()[:bwriop.BlindedSize()], - bwoiop.Coefficients()[:bwoiop.BlindedSize()], - pk.trace.S1.Coefficients(), - pk.trace.S2.Coefficients(), - ), - append(pk.Vk.Qcp, - foldedHDigest, - linearizedPolynomialDigest, - proof.LRO[0], - proof.LRO[1], - proof.LRO[2], - pk.Vk.S[0], - pk.Vk.S[1], - ), + polysToOpen, + digestsToOpen, zeta, hFunc, pk.Kzg, diff --git a/backend/plonk/bn254/verify.go b/backend/plonk/bn254/verify.go index f370459e8f..4820560fe5 100644 --- a/backend/plonk/bn254/verify.go +++ b/backend/plonk/bn254/verify.go @@ -139,16 +139,13 @@ func Verify(proof *Proof, vk *VerifyingKey, publicWitness fr.Vector) error { zu := proof.ZShiftedOpening.ClaimedValue - qC := make([]fr.Element, len(proof.Bsb22Commitments)) - copy(qC, proof.BatchedProof.ClaimedValues) - claimedValues := proof.BatchedProof.ClaimedValues[len(proof.Bsb22Commitments):] - claimedQuotient := claimedValues[0] - linearizedPolynomialZeta := claimedValues[1] - l := claimedValues[2] - r := claimedValues[3] - o := claimedValues[4] - s1 := claimedValues[5] - s2 := claimedValues[6] + claimedQuotient := proof.BatchedProof.ClaimedValues[0] + linearizedPolynomialZeta := proof.BatchedProof.ClaimedValues[1] + l := proof.BatchedProof.ClaimedValues[2] + r := proof.BatchedProof.ClaimedValues[3] + o := proof.BatchedProof.ClaimedValues[4] + s1 := proof.BatchedProof.ClaimedValues[5] + s2 := proof.BatchedProof.ClaimedValues[6] _s1.Mul(&s1, &beta).Add(&_s1, &l).Add(&_s1, &gamma) // (l(ζ)+β*s1(ζ)+γ) _s2.Mul(&s2, &beta).Add(&_s2, &r).Add(&_s2, &gamma) // (r(ζ)+β*s2(ζ)+γ) @@ -222,6 +219,8 @@ func Verify(proof *Proof, vk *VerifyingKey, publicWitness fr.Vector) error { vk.S[2], proof.Z, // second & third part ) + qC := make([]fr.Element, len(proof.Bsb22Commitments)) + copy(qC, proof.BatchedProof.ClaimedValues[7:]) scalars := append(qC, l, r, rl, o, one, /* TODO Perf @Tabaie Consider just adding Qk instead */ // first part _s1, _s2, // second & third part @@ -231,15 +230,17 @@ func Verify(proof *Proof, vk *VerifyingKey, publicWitness fr.Vector) error { } // Fold the first proof - foldedProof, foldedDigest, err := kzg.FoldProof(append(vk.Qcp, - foldedH, - linearizedPolynomialDigest, - proof.LRO[0], - proof.LRO[1], - proof.LRO[2], - vk.S[0], - vk.S[1], - ), + digestsToFold := make([]curve.G1Affine, len(vk.Qcp)+7) + copy(digestsToFold[7:], vk.Qcp) + digestsToFold[0] = foldedH + digestsToFold[1] = linearizedPolynomialDigest + digestsToFold[2] = proof.LRO[0] + digestsToFold[3] = proof.LRO[1] + digestsToFold[4] = proof.LRO[2] + digestsToFold[5] = vk.S[0] + digestsToFold[6] = vk.S[1] + foldedProof, foldedDigest, err := kzg.FoldProof( + digestsToFold, &proof.BatchedProof, zeta, hFunc, diff --git a/backend/plonk/bw6-633/prove.go b/backend/plonk/bw6-633/prove.go index 4155f7dc5f..ac9cf966e2 100644 --- a/backend/plonk/bw6-633/prove.go +++ b/backend/plonk/bw6-633/prove.go @@ -508,25 +508,32 @@ func Prove(spr *cs.SparseR1CS, pk *ProvingKey, fullWitness witness.Witness, opts <-computeFoldedH // Batch open the first list of polynomials + polysQcp := coefficients(pk.trace.Qcp) + polysToOpen := make([][]fr.Element, 7+len(polysQcp)) + copy(polysToOpen[7:], polysQcp) + // offset := len(polysQcp) + polysToOpen[0] = foldedH + polysToOpen[1] = linearizedPolynomialCanonical + polysToOpen[2] = bwliop.Coefficients()[:bwliop.BlindedSize()] + polysToOpen[3] = bwriop.Coefficients()[:bwriop.BlindedSize()] + polysToOpen[4] = bwoiop.Coefficients()[:bwoiop.BlindedSize()] + polysToOpen[5] = pk.trace.S1.Coefficients() + polysToOpen[6] = pk.trace.S2.Coefficients() + + digestsToOpen := make([]curve.G1Affine, len(pk.Vk.Qcp)+7) + copy(digestsToOpen[7:], pk.Vk.Qcp) + // offset = len(pk.Vk.Qcp) + digestsToOpen[0] = foldedHDigest + digestsToOpen[1] = linearizedPolynomialDigest + digestsToOpen[2] = proof.LRO[0] + digestsToOpen[3] = proof.LRO[1] + digestsToOpen[4] = proof.LRO[2] + digestsToOpen[5] = pk.Vk.S[0] + digestsToOpen[6] = pk.Vk.S[1] + proof.BatchedProof, err = kzg.BatchOpenSinglePoint( - append(coefficients(pk.trace.Qcp), - foldedH, - linearizedPolynomialCanonical, - bwliop.Coefficients()[:bwliop.BlindedSize()], - bwriop.Coefficients()[:bwriop.BlindedSize()], - bwoiop.Coefficients()[:bwoiop.BlindedSize()], - pk.trace.S1.Coefficients(), - pk.trace.S2.Coefficients(), - ), - append(pk.Vk.Qcp, - foldedHDigest, - linearizedPolynomialDigest, - proof.LRO[0], - proof.LRO[1], - proof.LRO[2], - pk.Vk.S[0], - pk.Vk.S[1], - ), + polysToOpen, + digestsToOpen, zeta, hFunc, pk.Kzg, diff --git a/backend/plonk/bw6-633/verify.go b/backend/plonk/bw6-633/verify.go index 8f9c361479..63c4b1dbfb 100644 --- a/backend/plonk/bw6-633/verify.go +++ b/backend/plonk/bw6-633/verify.go @@ -39,7 +39,7 @@ var ( ) func Verify(proof *Proof, vk *VerifyingKey, publicWitness fr.Vector) error { - log := logger.Logger().With().Str("curve", "bw6_633").Str("backend", "plonk").Logger() + log := logger.Logger().With().Str("curve", "bw6-633").Str("backend", "plonk").Logger() start := time.Now() // pick a hash function to derive the challenge (the same as in the prover) @@ -137,16 +137,13 @@ func Verify(proof *Proof, vk *VerifyingKey, publicWitness fr.Vector) error { zu := proof.ZShiftedOpening.ClaimedValue - qC := make([]fr.Element, len(proof.Bsb22Commitments)) - copy(qC, proof.BatchedProof.ClaimedValues) - claimedValues := proof.BatchedProof.ClaimedValues[len(proof.Bsb22Commitments):] - claimedQuotient := claimedValues[0] - linearizedPolynomialZeta := claimedValues[1] - l := claimedValues[2] - r := claimedValues[3] - o := claimedValues[4] - s1 := claimedValues[5] - s2 := claimedValues[6] + claimedQuotient := proof.BatchedProof.ClaimedValues[0] + linearizedPolynomialZeta := proof.BatchedProof.ClaimedValues[1] + l := proof.BatchedProof.ClaimedValues[2] + r := proof.BatchedProof.ClaimedValues[3] + o := proof.BatchedProof.ClaimedValues[4] + s1 := proof.BatchedProof.ClaimedValues[5] + s2 := proof.BatchedProof.ClaimedValues[6] _s1.Mul(&s1, &beta).Add(&_s1, &l).Add(&_s1, &gamma) // (l(ζ)+β*s1(ζ)+γ) _s2.Mul(&s2, &beta).Add(&_s2, &r).Add(&_s2, &gamma) // (r(ζ)+β*s2(ζ)+γ) @@ -220,6 +217,8 @@ func Verify(proof *Proof, vk *VerifyingKey, publicWitness fr.Vector) error { vk.S[2], proof.Z, // second & third part ) + qC := make([]fr.Element, len(proof.Bsb22Commitments)) + copy(qC, proof.BatchedProof.ClaimedValues[7:]) scalars := append(qC, l, r, rl, o, one, /* TODO Perf @Tabaie Consider just adding Qk instead */ // first part _s1, _s2, // second & third part @@ -229,15 +228,17 @@ func Verify(proof *Proof, vk *VerifyingKey, publicWitness fr.Vector) error { } // Fold the first proof - foldedProof, foldedDigest, err := kzg.FoldProof(append(vk.Qcp, - foldedH, - linearizedPolynomialDigest, - proof.LRO[0], - proof.LRO[1], - proof.LRO[2], - vk.S[0], - vk.S[1], - ), + digestsToFold := make([]curve.G1Affine, len(vk.Qcp)+7) + copy(digestsToFold[7:], vk.Qcp) + digestsToFold[0] = foldedH + digestsToFold[1] = linearizedPolynomialDigest + digestsToFold[2] = proof.LRO[0] + digestsToFold[3] = proof.LRO[1] + digestsToFold[4] = proof.LRO[2] + digestsToFold[5] = vk.S[0] + digestsToFold[6] = vk.S[1] + foldedProof, foldedDigest, err := kzg.FoldProof( + digestsToFold, &proof.BatchedProof, zeta, hFunc, diff --git a/backend/plonk/bw6-761/prove.go b/backend/plonk/bw6-761/prove.go index d8e147ea0a..340a301ea5 100644 --- a/backend/plonk/bw6-761/prove.go +++ b/backend/plonk/bw6-761/prove.go @@ -508,25 +508,32 @@ func Prove(spr *cs.SparseR1CS, pk *ProvingKey, fullWitness witness.Witness, opts <-computeFoldedH // Batch open the first list of polynomials + polysQcp := coefficients(pk.trace.Qcp) + polysToOpen := make([][]fr.Element, 7+len(polysQcp)) + copy(polysToOpen[7:], polysQcp) + // offset := len(polysQcp) + polysToOpen[0] = foldedH + polysToOpen[1] = linearizedPolynomialCanonical + polysToOpen[2] = bwliop.Coefficients()[:bwliop.BlindedSize()] + polysToOpen[3] = bwriop.Coefficients()[:bwriop.BlindedSize()] + polysToOpen[4] = bwoiop.Coefficients()[:bwoiop.BlindedSize()] + polysToOpen[5] = pk.trace.S1.Coefficients() + polysToOpen[6] = pk.trace.S2.Coefficients() + + digestsToOpen := make([]curve.G1Affine, len(pk.Vk.Qcp)+7) + copy(digestsToOpen[7:], pk.Vk.Qcp) + // offset = len(pk.Vk.Qcp) + digestsToOpen[0] = foldedHDigest + digestsToOpen[1] = linearizedPolynomialDigest + digestsToOpen[2] = proof.LRO[0] + digestsToOpen[3] = proof.LRO[1] + digestsToOpen[4] = proof.LRO[2] + digestsToOpen[5] = pk.Vk.S[0] + digestsToOpen[6] = pk.Vk.S[1] + proof.BatchedProof, err = kzg.BatchOpenSinglePoint( - append(coefficients(pk.trace.Qcp), - foldedH, - linearizedPolynomialCanonical, - bwliop.Coefficients()[:bwliop.BlindedSize()], - bwriop.Coefficients()[:bwriop.BlindedSize()], - bwoiop.Coefficients()[:bwoiop.BlindedSize()], - pk.trace.S1.Coefficients(), - pk.trace.S2.Coefficients(), - ), - append(pk.Vk.Qcp, - foldedHDigest, - linearizedPolynomialDigest, - proof.LRO[0], - proof.LRO[1], - proof.LRO[2], - pk.Vk.S[0], - pk.Vk.S[1], - ), + polysToOpen, + digestsToOpen, zeta, hFunc, pk.Kzg, diff --git a/backend/plonk/bw6-761/verify.go b/backend/plonk/bw6-761/verify.go index f9b2dad361..51c0719b8d 100644 --- a/backend/plonk/bw6-761/verify.go +++ b/backend/plonk/bw6-761/verify.go @@ -39,7 +39,7 @@ var ( ) func Verify(proof *Proof, vk *VerifyingKey, publicWitness fr.Vector) error { - log := logger.Logger().With().Str("curve", "bw6_761").Str("backend", "plonk").Logger() + log := logger.Logger().With().Str("curve", "bw6-761").Str("backend", "plonk").Logger() start := time.Now() // pick a hash function to derive the challenge (the same as in the prover) @@ -137,16 +137,13 @@ func Verify(proof *Proof, vk *VerifyingKey, publicWitness fr.Vector) error { zu := proof.ZShiftedOpening.ClaimedValue - qC := make([]fr.Element, len(proof.Bsb22Commitments)) - copy(qC, proof.BatchedProof.ClaimedValues) - claimedValues := proof.BatchedProof.ClaimedValues[len(proof.Bsb22Commitments):] - claimedQuotient := claimedValues[0] - linearizedPolynomialZeta := claimedValues[1] - l := claimedValues[2] - r := claimedValues[3] - o := claimedValues[4] - s1 := claimedValues[5] - s2 := claimedValues[6] + claimedQuotient := proof.BatchedProof.ClaimedValues[0] + linearizedPolynomialZeta := proof.BatchedProof.ClaimedValues[1] + l := proof.BatchedProof.ClaimedValues[2] + r := proof.BatchedProof.ClaimedValues[3] + o := proof.BatchedProof.ClaimedValues[4] + s1 := proof.BatchedProof.ClaimedValues[5] + s2 := proof.BatchedProof.ClaimedValues[6] _s1.Mul(&s1, &beta).Add(&_s1, &l).Add(&_s1, &gamma) // (l(ζ)+β*s1(ζ)+γ) _s2.Mul(&s2, &beta).Add(&_s2, &r).Add(&_s2, &gamma) // (r(ζ)+β*s2(ζ)+γ) @@ -220,6 +217,8 @@ func Verify(proof *Proof, vk *VerifyingKey, publicWitness fr.Vector) error { vk.S[2], proof.Z, // second & third part ) + qC := make([]fr.Element, len(proof.Bsb22Commitments)) + copy(qC, proof.BatchedProof.ClaimedValues[7:]) scalars := append(qC, l, r, rl, o, one, /* TODO Perf @Tabaie Consider just adding Qk instead */ // first part _s1, _s2, // second & third part @@ -229,15 +228,17 @@ func Verify(proof *Proof, vk *VerifyingKey, publicWitness fr.Vector) error { } // Fold the first proof - foldedProof, foldedDigest, err := kzg.FoldProof(append(vk.Qcp, - foldedH, - linearizedPolynomialDigest, - proof.LRO[0], - proof.LRO[1], - proof.LRO[2], - vk.S[0], - vk.S[1], - ), + digestsToFold := make([]curve.G1Affine, len(vk.Qcp)+7) + copy(digestsToFold[7:], vk.Qcp) + digestsToFold[0] = foldedH + digestsToFold[1] = linearizedPolynomialDigest + digestsToFold[2] = proof.LRO[0] + digestsToFold[3] = proof.LRO[1] + digestsToFold[4] = proof.LRO[2] + digestsToFold[5] = vk.S[0] + digestsToFold[6] = vk.S[1] + foldedProof, foldedDigest, err := kzg.FoldProof( + digestsToFold, &proof.BatchedProof, zeta, hFunc, diff --git a/internal/generator/backend/template/zkpschemes/plonk/plonk.prove.go.tmpl b/internal/generator/backend/template/zkpschemes/plonk/plonk.prove.go.tmpl index 44bf897328..d2034c03ea 100644 --- a/internal/generator/backend/template/zkpschemes/plonk/plonk.prove.go.tmpl +++ b/internal/generator/backend/template/zkpschemes/plonk/plonk.prove.go.tmpl @@ -133,7 +133,7 @@ func Prove(spr *cs.SparseR1CS, pk *ProvingKey, fullWitness witness.Witness, opts // we keep in lagrange regular form since iop.BuildRatioCopyConstraint prefers it in this form. wliop = iop.NewPolynomial(&evaluationLDomainSmall, lagReg) // we set the underlying slice capacity to domain[1].Cardinality to minimize mem moves. - bwliop = wliop.Clone(int(pk.Domain[1].Cardinality)).ToCanonical(&pk.Domain[0]).ToRegular().Blind(1) + bwliop = wliop.Clone(int(pk.Domain[1].Cardinality)).ToCanonical(&pk.Domain[0]).ToRegular().Blind(1) wgLRO.Done() }() go func() { @@ -147,13 +147,11 @@ func Prove(spr *cs.SparseR1CS, pk *ProvingKey, fullWitness witness.Witness, opts wgLRO.Done() }() - fw, ok := fullWitness.Vector().(fr.Vector) if !ok { return nil, witness.ErrInvalidWitness } - // start computing lcqk var lcqk *iop.Polynomial chLcqk := make(chan struct{}, 1) @@ -216,7 +214,6 @@ func Prove(spr *cs.SparseR1CS, pk *ProvingKey, fullWitness witness.Witness, opts bwoiop.ToLagrangeCoset(&pk.Domain[1]) wgLRO.Done() }() - // compute the copy constraint's ratio // note that wliop, wriop and woiop are fft'ed (mutated) in the process. @@ -260,7 +257,6 @@ func Prove(spr *cs.SparseR1CS, pk *ProvingKey, fullWitness witness.Witness, opts chZ <- nil close(chZ) }() - // Full capture using latest gnark crypto... fic := func(fql, fqr, fqm, fqo, fqk, l, r, o fr.Element, pi2QcPrime []fr.Element) fr.Element { // TODO @Tabaie make use of the fact that qCPrime is a selector: sparse and binary @@ -283,7 +279,6 @@ func Prove(spr *cs.SparseR1CS, pk *ProvingKey, fullWitness witness.Witness, opts return ic } - fo := func(l, r, o, fid, fs1, fs2, fs3, fz, fzs fr.Element) fr.Element { u := &pk.Domain[0].FrMultiplicativeGen var a, b, tmp fr.Element @@ -352,8 +347,7 @@ func Prove(spr *cs.SparseR1CS, pk *ProvingKey, fullWitness witness.Witness, opts pk.lcQo, lcqk, pk.lLoneIOP, - - } + } toEval = append(toEval, lcCommitments...) // TODO: Add this at beginning toEval = append(toEval, pk.lcQcp...) systemEvaluation, err := iop.Evaluate(fm, iop.Form{Basis: iop.LagrangeCoset, Layout: iop.BitReverse}, toEval...) @@ -366,7 +360,6 @@ func Prove(spr *cs.SparseR1CS, pk *ProvingKey, fullWitness witness.Witness, opts bwziop.ToCanonical(&pk.Domain[1]).ToRegular() close(chbwzIOP) }() - h, err := iop.DivideByXMinusOne(systemEvaluation, [2]*fft.Domain{&pk.Domain[0], &pk.Domain[1]}) // TODO Rename to DivideByXNMinusOne or DivideByVanishingPoly etc if err != nil { @@ -421,7 +414,6 @@ func Prove(spr *cs.SparseR1CS, pk *ProvingKey, fullWitness witness.Witness, opts return nil, err } - // start to compute foldedH and foldedHDigest while computeLinearizedPolynomial runs. computeFoldedH := make(chan struct{}, 1) var foldedH []fr.Element @@ -456,7 +448,6 @@ func Prove(spr *cs.SparseR1CS, pk *ProvingKey, fullWitness witness.Witness, opts wgEvals.Wait() // wait for the evaluations - var ( linearizedPolynomialCanonical []fr.Element linearizedPolynomialDigest curve.G1Affine @@ -486,35 +477,41 @@ func Prove(spr *cs.SparseR1CS, pk *ProvingKey, fullWitness witness.Witness, opts // TODO this commitment is only necessary to derive the challenge, we should // be able to avoid doing it and get the challenge in another way - linearizedPolynomialDigest, errLPoly = kzg.Commit(linearizedPolynomialCanonical, pk.Kzg, runtime.NumCPU() * 2) + linearizedPolynomialDigest, errLPoly = kzg.Commit(linearizedPolynomialCanonical, pk.Kzg, runtime.NumCPU()*2) if errLPoly != nil { return nil, errLPoly } - // wait for foldedH and foldedHDigest <-computeFoldedH // Batch open the first list of polynomials + polysQcp := coefficients(pk.trace.Qcp) + polysToOpen := make([][]fr.Element, 7+len(polysQcp)) + copy(polysToOpen[7:], polysQcp) + // offset := len(polysQcp) + polysToOpen[0] = foldedH + polysToOpen[1] = linearizedPolynomialCanonical + polysToOpen[2] = bwliop.Coefficients()[:bwliop.BlindedSize()] + polysToOpen[3] = bwriop.Coefficients()[:bwriop.BlindedSize()] + polysToOpen[4] = bwoiop.Coefficients()[:bwoiop.BlindedSize()] + polysToOpen[5] = pk.trace.S1.Coefficients() + polysToOpen[6] = pk.trace.S2.Coefficients() + + digestsToOpen := make([]curve.G1Affine, len(pk.Vk.Qcp)+7) + copy(digestsToOpen[7:], pk.Vk.Qcp) + // offset = len(pk.Vk.Qcp) + digestsToOpen[0] = foldedHDigest + digestsToOpen[1] = linearizedPolynomialDigest + digestsToOpen[2] = proof.LRO[0] + digestsToOpen[3] = proof.LRO[1] + digestsToOpen[4] = proof.LRO[2] + digestsToOpen[5] = pk.Vk.S[0] + digestsToOpen[6] = pk.Vk.S[1] + proof.BatchedProof, err = kzg.BatchOpenSinglePoint( - append(coefficients(pk.trace.Qcp), - foldedH, - linearizedPolynomialCanonical, - bwliop.Coefficients()[:bwliop.BlindedSize()], - bwriop.Coefficients()[:bwriop.BlindedSize()], - bwoiop.Coefficients()[:bwoiop.BlindedSize()], - pk.trace.S1.Coefficients(), - pk.trace.S2.Coefficients(), - ), - append(pk.Vk.Qcp, - foldedHDigest, - linearizedPolynomialDigest, - proof.LRO[0], - proof.LRO[1], - proof.LRO[2], - pk.Vk.S[0], - pk.Vk.S[1], - ), + polysToOpen, + digestsToOpen, zeta, hFunc, pk.Kzg, @@ -540,7 +537,7 @@ func coefficients(p []*iop.Polynomial) [][]fr.Element { // fills proof.LRO with kzg commits of bcl, bcr and bco func commitToLRO(bcl, bcr, bco []fr.Element, proof *Proof, kzgPk kzg.ProvingKey) error { - n := runtime.NumCPU() + n := runtime.NumCPU() var err0, err1, err2 error chCommit0 := make(chan struct{}, 1) chCommit1 := make(chan struct{}, 1) @@ -566,7 +563,7 @@ func commitToLRO(bcl, bcr, bco []fr.Element, proof *Proof, kzgPk kzg.ProvingKey) } func commitToQuotient(h1, h2, h3 []fr.Element, proof *Proof, kzgPk kzg.ProvingKey) error { - n := runtime.NumCPU() + n := runtime.NumCPU() var err0, err1, err2 error chCommit0 := make(chan struct{}, 1) chCommit1 := make(chan struct{}, 1) @@ -649,7 +646,6 @@ func computeLinearizedPolynomial(lZeta, rZeta, oZeta, alpha, beta, gamma, zeta, Mul(&lagrangeZeta, &alpha). Mul(&lagrangeZeta, &pk.Domain[0].CardinalityInv) // (1/n)*α²*L₁(ζ) - s3canonical := pk.trace.S3.Coefficients() utils.Parallelize(len(blindedZCanonical), func(start, end int) { @@ -697,4 +693,4 @@ func computeLinearizedPolynomial(lZeta, rZeta, oZeta, alpha, beta, gamma, zeta, } }) return blindedZCanonical -} \ No newline at end of file +} diff --git a/internal/generator/backend/template/zkpschemes/plonk/plonk.verify.go.tmpl b/internal/generator/backend/template/zkpschemes/plonk/plonk.verify.go.tmpl index 7a2d582ce9..3ab826cedd 100644 --- a/internal/generator/backend/template/zkpschemes/plonk/plonk.verify.go.tmpl +++ b/internal/generator/backend/template/zkpschemes/plonk/plonk.verify.go.tmpl @@ -20,7 +20,7 @@ var ( ) func Verify(proof *Proof, vk *VerifyingKey, publicWitness fr.Vector) error { - log := logger.Logger().With().Str("curve", "{{ toLower .CurveID }}").Str("backend", "plonk").Logger() + log := logger.Logger().With().Str("curve", "{{ toLower .Curve }}").Str("backend", "plonk").Logger() start := time.Now() // pick a hash function to derive the challenge (the same as in the prover) @@ -103,10 +103,10 @@ func Verify(proof *Proof, vk *VerifyingKey, publicWitness fr.Vector) error { den.Sub(&zeta, &wPowI) // ζ-wⁱ lagrange.SetOne(). - Sub(&zeta, &lagrange). // ζ-1 - Mul(&lagrange, &wPowI). // wⁱ(ζ-1) - Div(&lagrange, &den). // wⁱ(ζ-1)/(ζ-wⁱ) - Mul(&lagrange, &lagrangeOne) // wⁱ/n (ζⁿ-1)/(ζ-wⁱ) + Sub(&zeta, &lagrange). // ζ-1 + Mul(&lagrange, &wPowI). // wⁱ(ζ-1) + Div(&lagrange, &den). // wⁱ(ζ-1)/(ζ-wⁱ) + Mul(&lagrange, &lagrangeOne) // wⁱ/n (ζⁿ-1)/(ζ-wⁱ) xiLi.Mul(&lagrange, &hashRes[0]) pi.Add(&pi, &xiLi) @@ -118,16 +118,13 @@ func Verify(proof *Proof, vk *VerifyingKey, publicWitness fr.Vector) error { zu := proof.ZShiftedOpening.ClaimedValue - qC := make([]fr.Element, len(proof.Bsb22Commitments)) - copy(qC, proof.BatchedProof.ClaimedValues) - claimedValues := proof.BatchedProof.ClaimedValues[len(proof.Bsb22Commitments):] - claimedQuotient := claimedValues[0] - linearizedPolynomialZeta := claimedValues[1] - l := claimedValues[2] - r := claimedValues[3] - o := claimedValues[4] - s1 := claimedValues[5] - s2 := claimedValues[6] + claimedQuotient := proof.BatchedProof.ClaimedValues[0] + linearizedPolynomialZeta := proof.BatchedProof.ClaimedValues[1] + l := proof.BatchedProof.ClaimedValues[2] + r := proof.BatchedProof.ClaimedValues[3] + o := proof.BatchedProof.ClaimedValues[4] + s1 := proof.BatchedProof.ClaimedValues[5] + s2 := proof.BatchedProof.ClaimedValues[6] _s1.Mul(&s1, &beta).Add(&_s1, &l).Add(&_s1, &gamma) // (l(ζ)+β*s1(ζ)+γ) _s2.Mul(&s2, &beta).Add(&_s2, &r).Add(&_s2, &gamma) // (r(ζ)+β*s2(ζ)+γ) @@ -201,8 +198,10 @@ func Verify(proof *Proof, vk *VerifyingKey, publicWitness fr.Vector) error { vk.S[2], proof.Z, // second & third part ) + qC := make([]fr.Element, len(proof.Bsb22Commitments)) + copy(qC, proof.BatchedProof.ClaimedValues[7:]) scalars := append(qC, - l, r, rl, o, one /* TODO Perf @Tabaie Consider just adding Qk instead */, // first part + l, r, rl, o, one, /* TODO Perf @Tabaie Consider just adding Qk instead */ // first part _s1, _s2, // second & third part ) if _, err := linearizedPolynomialDigest.MultiExp(points, scalars, ecc.MultiExpConfig{}); err != nil { @@ -210,15 +209,17 @@ func Verify(proof *Proof, vk *VerifyingKey, publicWitness fr.Vector) error { } // Fold the first proof - foldedProof, foldedDigest, err := kzg.FoldProof(append(vk.Qcp, - foldedH, - linearizedPolynomialDigest, - proof.LRO[0], - proof.LRO[1], - proof.LRO[2], - vk.S[0], - vk.S[1], - ), + digestsToFold := make([]curve.G1Affine, len(vk.Qcp)+7) + copy(digestsToFold[7:], vk.Qcp) + digestsToFold[0] = foldedH + digestsToFold[1] = linearizedPolynomialDigest + digestsToFold[2] = proof.LRO[0] + digestsToFold[3] = proof.LRO[1] + digestsToFold[4] = proof.LRO[2] + digestsToFold[5] = vk.S[0] + digestsToFold[6] = vk.S[1] + foldedProof, foldedDigest, err := kzg.FoldProof( + digestsToFold, &proof.BatchedProof, zeta, hFunc, @@ -318,6 +319,7 @@ func deriveRandomness(fs *fiatshamir.Transcript, challenge string, points ...*cu return r, nil } + {{if eq .Curve "BN254"}} // ExportSolidity exports the verifying key to a solidity smart contract. //