diff --git a/backend/plonk/bls12-377/prove.go b/backend/plonk/bls12-377/prove.go
index a6833fe0c9..b2a9c29b6f 100644
--- a/backend/plonk/bls12-377/prove.go
+++ b/backend/plonk/bls12-377/prove.go
@@ -508,25 +508,32 @@ func Prove(spr *cs.SparseR1CS, pk *ProvingKey, fullWitness witness.Witness, opts
<-computeFoldedH
// Batch open the first list of polynomials
+ polysQcp := coefficients(pk.trace.Qcp)
+ polysToOpen := make([][]fr.Element, 7+len(polysQcp))
+ copy(polysToOpen[7:], polysQcp)
+ // offset := len(polysQcp)
+ polysToOpen[0] = foldedH
+ polysToOpen[1] = linearizedPolynomialCanonical
+ polysToOpen[2] = bwliop.Coefficients()[:bwliop.BlindedSize()]
+ polysToOpen[3] = bwriop.Coefficients()[:bwriop.BlindedSize()]
+ polysToOpen[4] = bwoiop.Coefficients()[:bwoiop.BlindedSize()]
+ polysToOpen[5] = pk.trace.S1.Coefficients()
+ polysToOpen[6] = pk.trace.S2.Coefficients()
+
+ digestsToOpen := make([]curve.G1Affine, len(pk.Vk.Qcp)+7)
+ copy(digestsToOpen[7:], pk.Vk.Qcp)
+ // offset = len(pk.Vk.Qcp)
+ digestsToOpen[0] = foldedHDigest
+ digestsToOpen[1] = linearizedPolynomialDigest
+ digestsToOpen[2] = proof.LRO[0]
+ digestsToOpen[3] = proof.LRO[1]
+ digestsToOpen[4] = proof.LRO[2]
+ digestsToOpen[5] = pk.Vk.S[0]
+ digestsToOpen[6] = pk.Vk.S[1]
+
proof.BatchedProof, err = kzg.BatchOpenSinglePoint(
- append(coefficients(pk.trace.Qcp),
- foldedH,
- linearizedPolynomialCanonical,
- bwliop.Coefficients()[:bwliop.BlindedSize()],
- bwriop.Coefficients()[:bwriop.BlindedSize()],
- bwoiop.Coefficients()[:bwoiop.BlindedSize()],
- pk.trace.S1.Coefficients(),
- pk.trace.S2.Coefficients(),
- ),
- append(pk.Vk.Qcp,
- foldedHDigest,
- linearizedPolynomialDigest,
- proof.LRO[0],
- proof.LRO[1],
- proof.LRO[2],
- pk.Vk.S[0],
- pk.Vk.S[1],
- ),
+ polysToOpen,
+ digestsToOpen,
zeta,
hFunc,
pk.Kzg,
diff --git a/backend/plonk/bls12-377/verify.go b/backend/plonk/bls12-377/verify.go
index af820983d0..c28a894d02 100644
--- a/backend/plonk/bls12-377/verify.go
+++ b/backend/plonk/bls12-377/verify.go
@@ -39,7 +39,7 @@ var (
)
func Verify(proof *Proof, vk *VerifyingKey, publicWitness fr.Vector) error {
- log := logger.Logger().With().Str("curve", "bls12_377").Str("backend", "plonk").Logger()
+ log := logger.Logger().With().Str("curve", "bls12-377").Str("backend", "plonk").Logger()
start := time.Now()
// pick a hash function to derive the challenge (the same as in the prover)
@@ -137,16 +137,13 @@ func Verify(proof *Proof, vk *VerifyingKey, publicWitness fr.Vector) error {
zu := proof.ZShiftedOpening.ClaimedValue
- qC := make([]fr.Element, len(proof.Bsb22Commitments))
- copy(qC, proof.BatchedProof.ClaimedValues)
- claimedValues := proof.BatchedProof.ClaimedValues[len(proof.Bsb22Commitments):]
- claimedQuotient := claimedValues[0]
- linearizedPolynomialZeta := claimedValues[1]
- l := claimedValues[2]
- r := claimedValues[3]
- o := claimedValues[4]
- s1 := claimedValues[5]
- s2 := claimedValues[6]
+ claimedQuotient := proof.BatchedProof.ClaimedValues[0]
+ linearizedPolynomialZeta := proof.BatchedProof.ClaimedValues[1]
+ l := proof.BatchedProof.ClaimedValues[2]
+ r := proof.BatchedProof.ClaimedValues[3]
+ o := proof.BatchedProof.ClaimedValues[4]
+ s1 := proof.BatchedProof.ClaimedValues[5]
+ s2 := proof.BatchedProof.ClaimedValues[6]
_s1.Mul(&s1, &beta).Add(&_s1, &l).Add(&_s1, &gamma) // (l(ζ)+β*s1(ζ)+γ)
_s2.Mul(&s2, &beta).Add(&_s2, &r).Add(&_s2, &gamma) // (r(ζ)+β*s2(ζ)+γ)
@@ -220,6 +217,8 @@ func Verify(proof *Proof, vk *VerifyingKey, publicWitness fr.Vector) error {
vk.S[2], proof.Z, // second & third part
)
+ qC := make([]fr.Element, len(proof.Bsb22Commitments))
+ copy(qC, proof.BatchedProof.ClaimedValues[7:])
scalars := append(qC,
l, r, rl, o, one, /* TODO Perf @Tabaie Consider just adding Qk instead */ // first part
_s1, _s2, // second & third part
@@ -229,15 +228,17 @@ func Verify(proof *Proof, vk *VerifyingKey, publicWitness fr.Vector) error {
}
// Fold the first proof
- foldedProof, foldedDigest, err := kzg.FoldProof(append(vk.Qcp,
- foldedH,
- linearizedPolynomialDigest,
- proof.LRO[0],
- proof.LRO[1],
- proof.LRO[2],
- vk.S[0],
- vk.S[1],
- ),
+ digestsToFold := make([]curve.G1Affine, len(vk.Qcp)+7)
+ copy(digestsToFold[7:], vk.Qcp)
+ digestsToFold[0] = foldedH
+ digestsToFold[1] = linearizedPolynomialDigest
+ digestsToFold[2] = proof.LRO[0]
+ digestsToFold[3] = proof.LRO[1]
+ digestsToFold[4] = proof.LRO[2]
+ digestsToFold[5] = vk.S[0]
+ digestsToFold[6] = vk.S[1]
+ foldedProof, foldedDigest, err := kzg.FoldProof(
+ digestsToFold,
&proof.BatchedProof,
zeta,
hFunc,
diff --git a/backend/plonk/bls12-381/prove.go b/backend/plonk/bls12-381/prove.go
index 69bfbeb4a9..b5972e36d3 100644
--- a/backend/plonk/bls12-381/prove.go
+++ b/backend/plonk/bls12-381/prove.go
@@ -508,25 +508,32 @@ func Prove(spr *cs.SparseR1CS, pk *ProvingKey, fullWitness witness.Witness, opts
<-computeFoldedH
// Batch open the first list of polynomials
+ polysQcp := coefficients(pk.trace.Qcp)
+ polysToOpen := make([][]fr.Element, 7+len(polysQcp))
+ copy(polysToOpen[7:], polysQcp)
+ // offset := len(polysQcp)
+ polysToOpen[0] = foldedH
+ polysToOpen[1] = linearizedPolynomialCanonical
+ polysToOpen[2] = bwliop.Coefficients()[:bwliop.BlindedSize()]
+ polysToOpen[3] = bwriop.Coefficients()[:bwriop.BlindedSize()]
+ polysToOpen[4] = bwoiop.Coefficients()[:bwoiop.BlindedSize()]
+ polysToOpen[5] = pk.trace.S1.Coefficients()
+ polysToOpen[6] = pk.trace.S2.Coefficients()
+
+ digestsToOpen := make([]curve.G1Affine, len(pk.Vk.Qcp)+7)
+ copy(digestsToOpen[7:], pk.Vk.Qcp)
+ // offset = len(pk.Vk.Qcp)
+ digestsToOpen[0] = foldedHDigest
+ digestsToOpen[1] = linearizedPolynomialDigest
+ digestsToOpen[2] = proof.LRO[0]
+ digestsToOpen[3] = proof.LRO[1]
+ digestsToOpen[4] = proof.LRO[2]
+ digestsToOpen[5] = pk.Vk.S[0]
+ digestsToOpen[6] = pk.Vk.S[1]
+
proof.BatchedProof, err = kzg.BatchOpenSinglePoint(
- append(coefficients(pk.trace.Qcp),
- foldedH,
- linearizedPolynomialCanonical,
- bwliop.Coefficients()[:bwliop.BlindedSize()],
- bwriop.Coefficients()[:bwriop.BlindedSize()],
- bwoiop.Coefficients()[:bwoiop.BlindedSize()],
- pk.trace.S1.Coefficients(),
- pk.trace.S2.Coefficients(),
- ),
- append(pk.Vk.Qcp,
- foldedHDigest,
- linearizedPolynomialDigest,
- proof.LRO[0],
- proof.LRO[1],
- proof.LRO[2],
- pk.Vk.S[0],
- pk.Vk.S[1],
- ),
+ polysToOpen,
+ digestsToOpen,
zeta,
hFunc,
pk.Kzg,
diff --git a/backend/plonk/bls12-381/verify.go b/backend/plonk/bls12-381/verify.go
index f22da3bc6e..3124e92c5e 100644
--- a/backend/plonk/bls12-381/verify.go
+++ b/backend/plonk/bls12-381/verify.go
@@ -39,7 +39,7 @@ var (
)
func Verify(proof *Proof, vk *VerifyingKey, publicWitness fr.Vector) error {
- log := logger.Logger().With().Str("curve", "bls12_381").Str("backend", "plonk").Logger()
+ log := logger.Logger().With().Str("curve", "bls12-381").Str("backend", "plonk").Logger()
start := time.Now()
// pick a hash function to derive the challenge (the same as in the prover)
@@ -137,16 +137,13 @@ func Verify(proof *Proof, vk *VerifyingKey, publicWitness fr.Vector) error {
zu := proof.ZShiftedOpening.ClaimedValue
- qC := make([]fr.Element, len(proof.Bsb22Commitments))
- copy(qC, proof.BatchedProof.ClaimedValues)
- claimedValues := proof.BatchedProof.ClaimedValues[len(proof.Bsb22Commitments):]
- claimedQuotient := claimedValues[0]
- linearizedPolynomialZeta := claimedValues[1]
- l := claimedValues[2]
- r := claimedValues[3]
- o := claimedValues[4]
- s1 := claimedValues[5]
- s2 := claimedValues[6]
+ claimedQuotient := proof.BatchedProof.ClaimedValues[0]
+ linearizedPolynomialZeta := proof.BatchedProof.ClaimedValues[1]
+ l := proof.BatchedProof.ClaimedValues[2]
+ r := proof.BatchedProof.ClaimedValues[3]
+ o := proof.BatchedProof.ClaimedValues[4]
+ s1 := proof.BatchedProof.ClaimedValues[5]
+ s2 := proof.BatchedProof.ClaimedValues[6]
_s1.Mul(&s1, &beta).Add(&_s1, &l).Add(&_s1, &gamma) // (l(ζ)+β*s1(ζ)+γ)
_s2.Mul(&s2, &beta).Add(&_s2, &r).Add(&_s2, &gamma) // (r(ζ)+β*s2(ζ)+γ)
@@ -220,6 +217,8 @@ func Verify(proof *Proof, vk *VerifyingKey, publicWitness fr.Vector) error {
vk.S[2], proof.Z, // second & third part
)
+ qC := make([]fr.Element, len(proof.Bsb22Commitments))
+ copy(qC, proof.BatchedProof.ClaimedValues[7:])
scalars := append(qC,
l, r, rl, o, one, /* TODO Perf @Tabaie Consider just adding Qk instead */ // first part
_s1, _s2, // second & third part
@@ -229,15 +228,17 @@ func Verify(proof *Proof, vk *VerifyingKey, publicWitness fr.Vector) error {
}
// Fold the first proof
- foldedProof, foldedDigest, err := kzg.FoldProof(append(vk.Qcp,
- foldedH,
- linearizedPolynomialDigest,
- proof.LRO[0],
- proof.LRO[1],
- proof.LRO[2],
- vk.S[0],
- vk.S[1],
- ),
+ digestsToFold := make([]curve.G1Affine, len(vk.Qcp)+7)
+ copy(digestsToFold[7:], vk.Qcp)
+ digestsToFold[0] = foldedH
+ digestsToFold[1] = linearizedPolynomialDigest
+ digestsToFold[2] = proof.LRO[0]
+ digestsToFold[3] = proof.LRO[1]
+ digestsToFold[4] = proof.LRO[2]
+ digestsToFold[5] = vk.S[0]
+ digestsToFold[6] = vk.S[1]
+ foldedProof, foldedDigest, err := kzg.FoldProof(
+ digestsToFold,
&proof.BatchedProof,
zeta,
hFunc,
diff --git a/backend/plonk/bls24-315/prove.go b/backend/plonk/bls24-315/prove.go
index 69ef7228c1..39e11185fa 100644
--- a/backend/plonk/bls24-315/prove.go
+++ b/backend/plonk/bls24-315/prove.go
@@ -508,25 +508,32 @@ func Prove(spr *cs.SparseR1CS, pk *ProvingKey, fullWitness witness.Witness, opts
<-computeFoldedH
// Batch open the first list of polynomials
+ polysQcp := coefficients(pk.trace.Qcp)
+ polysToOpen := make([][]fr.Element, 7+len(polysQcp))
+ copy(polysToOpen[7:], polysQcp)
+ // offset := len(polysQcp)
+ polysToOpen[0] = foldedH
+ polysToOpen[1] = linearizedPolynomialCanonical
+ polysToOpen[2] = bwliop.Coefficients()[:bwliop.BlindedSize()]
+ polysToOpen[3] = bwriop.Coefficients()[:bwriop.BlindedSize()]
+ polysToOpen[4] = bwoiop.Coefficients()[:bwoiop.BlindedSize()]
+ polysToOpen[5] = pk.trace.S1.Coefficients()
+ polysToOpen[6] = pk.trace.S2.Coefficients()
+
+ digestsToOpen := make([]curve.G1Affine, len(pk.Vk.Qcp)+7)
+ copy(digestsToOpen[7:], pk.Vk.Qcp)
+ // offset = len(pk.Vk.Qcp)
+ digestsToOpen[0] = foldedHDigest
+ digestsToOpen[1] = linearizedPolynomialDigest
+ digestsToOpen[2] = proof.LRO[0]
+ digestsToOpen[3] = proof.LRO[1]
+ digestsToOpen[4] = proof.LRO[2]
+ digestsToOpen[5] = pk.Vk.S[0]
+ digestsToOpen[6] = pk.Vk.S[1]
+
proof.BatchedProof, err = kzg.BatchOpenSinglePoint(
- append(coefficients(pk.trace.Qcp),
- foldedH,
- linearizedPolynomialCanonical,
- bwliop.Coefficients()[:bwliop.BlindedSize()],
- bwriop.Coefficients()[:bwriop.BlindedSize()],
- bwoiop.Coefficients()[:bwoiop.BlindedSize()],
- pk.trace.S1.Coefficients(),
- pk.trace.S2.Coefficients(),
- ),
- append(pk.Vk.Qcp,
- foldedHDigest,
- linearizedPolynomialDigest,
- proof.LRO[0],
- proof.LRO[1],
- proof.LRO[2],
- pk.Vk.S[0],
- pk.Vk.S[1],
- ),
+ polysToOpen,
+ digestsToOpen,
zeta,
hFunc,
pk.Kzg,
diff --git a/backend/plonk/bls24-315/verify.go b/backend/plonk/bls24-315/verify.go
index afa89fa0b6..81dc747e0b 100644
--- a/backend/plonk/bls24-315/verify.go
+++ b/backend/plonk/bls24-315/verify.go
@@ -39,7 +39,7 @@ var (
)
func Verify(proof *Proof, vk *VerifyingKey, publicWitness fr.Vector) error {
- log := logger.Logger().With().Str("curve", "bls24_315").Str("backend", "plonk").Logger()
+ log := logger.Logger().With().Str("curve", "bls24-315").Str("backend", "plonk").Logger()
start := time.Now()
// pick a hash function to derive the challenge (the same as in the prover)
@@ -137,16 +137,13 @@ func Verify(proof *Proof, vk *VerifyingKey, publicWitness fr.Vector) error {
zu := proof.ZShiftedOpening.ClaimedValue
- qC := make([]fr.Element, len(proof.Bsb22Commitments))
- copy(qC, proof.BatchedProof.ClaimedValues)
- claimedValues := proof.BatchedProof.ClaimedValues[len(proof.Bsb22Commitments):]
- claimedQuotient := claimedValues[0]
- linearizedPolynomialZeta := claimedValues[1]
- l := claimedValues[2]
- r := claimedValues[3]
- o := claimedValues[4]
- s1 := claimedValues[5]
- s2 := claimedValues[6]
+ claimedQuotient := proof.BatchedProof.ClaimedValues[0]
+ linearizedPolynomialZeta := proof.BatchedProof.ClaimedValues[1]
+ l := proof.BatchedProof.ClaimedValues[2]
+ r := proof.BatchedProof.ClaimedValues[3]
+ o := proof.BatchedProof.ClaimedValues[4]
+ s1 := proof.BatchedProof.ClaimedValues[5]
+ s2 := proof.BatchedProof.ClaimedValues[6]
_s1.Mul(&s1, &beta).Add(&_s1, &l).Add(&_s1, &gamma) // (l(ζ)+β*s1(ζ)+γ)
_s2.Mul(&s2, &beta).Add(&_s2, &r).Add(&_s2, &gamma) // (r(ζ)+β*s2(ζ)+γ)
@@ -220,6 +217,8 @@ func Verify(proof *Proof, vk *VerifyingKey, publicWitness fr.Vector) error {
vk.S[2], proof.Z, // second & third part
)
+ qC := make([]fr.Element, len(proof.Bsb22Commitments))
+ copy(qC, proof.BatchedProof.ClaimedValues[7:])
scalars := append(qC,
l, r, rl, o, one, /* TODO Perf @Tabaie Consider just adding Qk instead */ // first part
_s1, _s2, // second & third part
@@ -229,15 +228,17 @@ func Verify(proof *Proof, vk *VerifyingKey, publicWitness fr.Vector) error {
}
// Fold the first proof
- foldedProof, foldedDigest, err := kzg.FoldProof(append(vk.Qcp,
- foldedH,
- linearizedPolynomialDigest,
- proof.LRO[0],
- proof.LRO[1],
- proof.LRO[2],
- vk.S[0],
- vk.S[1],
- ),
+ digestsToFold := make([]curve.G1Affine, len(vk.Qcp)+7)
+ copy(digestsToFold[7:], vk.Qcp)
+ digestsToFold[0] = foldedH
+ digestsToFold[1] = linearizedPolynomialDigest
+ digestsToFold[2] = proof.LRO[0]
+ digestsToFold[3] = proof.LRO[1]
+ digestsToFold[4] = proof.LRO[2]
+ digestsToFold[5] = vk.S[0]
+ digestsToFold[6] = vk.S[1]
+ foldedProof, foldedDigest, err := kzg.FoldProof(
+ digestsToFold,
&proof.BatchedProof,
zeta,
hFunc,
diff --git a/backend/plonk/bls24-317/prove.go b/backend/plonk/bls24-317/prove.go
index 753b151b9c..5ec3131efc 100644
--- a/backend/plonk/bls24-317/prove.go
+++ b/backend/plonk/bls24-317/prove.go
@@ -508,25 +508,32 @@ func Prove(spr *cs.SparseR1CS, pk *ProvingKey, fullWitness witness.Witness, opts
<-computeFoldedH
// Batch open the first list of polynomials
+ polysQcp := coefficients(pk.trace.Qcp)
+ polysToOpen := make([][]fr.Element, 7+len(polysQcp))
+ copy(polysToOpen[7:], polysQcp)
+ // offset := len(polysQcp)
+ polysToOpen[0] = foldedH
+ polysToOpen[1] = linearizedPolynomialCanonical
+ polysToOpen[2] = bwliop.Coefficients()[:bwliop.BlindedSize()]
+ polysToOpen[3] = bwriop.Coefficients()[:bwriop.BlindedSize()]
+ polysToOpen[4] = bwoiop.Coefficients()[:bwoiop.BlindedSize()]
+ polysToOpen[5] = pk.trace.S1.Coefficients()
+ polysToOpen[6] = pk.trace.S2.Coefficients()
+
+ digestsToOpen := make([]curve.G1Affine, len(pk.Vk.Qcp)+7)
+ copy(digestsToOpen[7:], pk.Vk.Qcp)
+ // offset = len(pk.Vk.Qcp)
+ digestsToOpen[0] = foldedHDigest
+ digestsToOpen[1] = linearizedPolynomialDigest
+ digestsToOpen[2] = proof.LRO[0]
+ digestsToOpen[3] = proof.LRO[1]
+ digestsToOpen[4] = proof.LRO[2]
+ digestsToOpen[5] = pk.Vk.S[0]
+ digestsToOpen[6] = pk.Vk.S[1]
+
proof.BatchedProof, err = kzg.BatchOpenSinglePoint(
- append(coefficients(pk.trace.Qcp),
- foldedH,
- linearizedPolynomialCanonical,
- bwliop.Coefficients()[:bwliop.BlindedSize()],
- bwriop.Coefficients()[:bwriop.BlindedSize()],
- bwoiop.Coefficients()[:bwoiop.BlindedSize()],
- pk.trace.S1.Coefficients(),
- pk.trace.S2.Coefficients(),
- ),
- append(pk.Vk.Qcp,
- foldedHDigest,
- linearizedPolynomialDigest,
- proof.LRO[0],
- proof.LRO[1],
- proof.LRO[2],
- pk.Vk.S[0],
- pk.Vk.S[1],
- ),
+ polysToOpen,
+ digestsToOpen,
zeta,
hFunc,
pk.Kzg,
diff --git a/backend/plonk/bls24-317/verify.go b/backend/plonk/bls24-317/verify.go
index 3aa9661e80..a6a7479e08 100644
--- a/backend/plonk/bls24-317/verify.go
+++ b/backend/plonk/bls24-317/verify.go
@@ -39,7 +39,7 @@ var (
)
func Verify(proof *Proof, vk *VerifyingKey, publicWitness fr.Vector) error {
- log := logger.Logger().With().Str("curve", "bls24_317").Str("backend", "plonk").Logger()
+ log := logger.Logger().With().Str("curve", "bls24-317").Str("backend", "plonk").Logger()
start := time.Now()
// pick a hash function to derive the challenge (the same as in the prover)
@@ -137,16 +137,13 @@ func Verify(proof *Proof, vk *VerifyingKey, publicWitness fr.Vector) error {
zu := proof.ZShiftedOpening.ClaimedValue
- qC := make([]fr.Element, len(proof.Bsb22Commitments))
- copy(qC, proof.BatchedProof.ClaimedValues)
- claimedValues := proof.BatchedProof.ClaimedValues[len(proof.Bsb22Commitments):]
- claimedQuotient := claimedValues[0]
- linearizedPolynomialZeta := claimedValues[1]
- l := claimedValues[2]
- r := claimedValues[3]
- o := claimedValues[4]
- s1 := claimedValues[5]
- s2 := claimedValues[6]
+ claimedQuotient := proof.BatchedProof.ClaimedValues[0]
+ linearizedPolynomialZeta := proof.BatchedProof.ClaimedValues[1]
+ l := proof.BatchedProof.ClaimedValues[2]
+ r := proof.BatchedProof.ClaimedValues[3]
+ o := proof.BatchedProof.ClaimedValues[4]
+ s1 := proof.BatchedProof.ClaimedValues[5]
+ s2 := proof.BatchedProof.ClaimedValues[6]
_s1.Mul(&s1, &beta).Add(&_s1, &l).Add(&_s1, &gamma) // (l(ζ)+β*s1(ζ)+γ)
_s2.Mul(&s2, &beta).Add(&_s2, &r).Add(&_s2, &gamma) // (r(ζ)+β*s2(ζ)+γ)
@@ -220,6 +217,8 @@ func Verify(proof *Proof, vk *VerifyingKey, publicWitness fr.Vector) error {
vk.S[2], proof.Z, // second & third part
)
+ qC := make([]fr.Element, len(proof.Bsb22Commitments))
+ copy(qC, proof.BatchedProof.ClaimedValues[7:])
scalars := append(qC,
l, r, rl, o, one, /* TODO Perf @Tabaie Consider just adding Qk instead */ // first part
_s1, _s2, // second & third part
@@ -229,15 +228,17 @@ func Verify(proof *Proof, vk *VerifyingKey, publicWitness fr.Vector) error {
}
// Fold the first proof
- foldedProof, foldedDigest, err := kzg.FoldProof(append(vk.Qcp,
- foldedH,
- linearizedPolynomialDigest,
- proof.LRO[0],
- proof.LRO[1],
- proof.LRO[2],
- vk.S[0],
- vk.S[1],
- ),
+ digestsToFold := make([]curve.G1Affine, len(vk.Qcp)+7)
+ copy(digestsToFold[7:], vk.Qcp)
+ digestsToFold[0] = foldedH
+ digestsToFold[1] = linearizedPolynomialDigest
+ digestsToFold[2] = proof.LRO[0]
+ digestsToFold[3] = proof.LRO[1]
+ digestsToFold[4] = proof.LRO[2]
+ digestsToFold[5] = vk.S[0]
+ digestsToFold[6] = vk.S[1]
+ foldedProof, foldedDigest, err := kzg.FoldProof(
+ digestsToFold,
&proof.BatchedProof,
zeta,
hFunc,
diff --git a/backend/plonk/bn254/prove.go b/backend/plonk/bn254/prove.go
index 6cf1ef2dff..1302571166 100644
--- a/backend/plonk/bn254/prove.go
+++ b/backend/plonk/bn254/prove.go
@@ -508,25 +508,32 @@ func Prove(spr *cs.SparseR1CS, pk *ProvingKey, fullWitness witness.Witness, opts
<-computeFoldedH
// Batch open the first list of polynomials
+ polysQcp := coefficients(pk.trace.Qcp)
+ polysToOpen := make([][]fr.Element, 7+len(polysQcp))
+ copy(polysToOpen[7:], polysQcp)
+ // offset := len(polysQcp)
+ polysToOpen[0] = foldedH
+ polysToOpen[1] = linearizedPolynomialCanonical
+ polysToOpen[2] = bwliop.Coefficients()[:bwliop.BlindedSize()]
+ polysToOpen[3] = bwriop.Coefficients()[:bwriop.BlindedSize()]
+ polysToOpen[4] = bwoiop.Coefficients()[:bwoiop.BlindedSize()]
+ polysToOpen[5] = pk.trace.S1.Coefficients()
+ polysToOpen[6] = pk.trace.S2.Coefficients()
+
+ digestsToOpen := make([]curve.G1Affine, len(pk.Vk.Qcp)+7)
+ copy(digestsToOpen[7:], pk.Vk.Qcp)
+ // offset = len(pk.Vk.Qcp)
+ digestsToOpen[0] = foldedHDigest
+ digestsToOpen[1] = linearizedPolynomialDigest
+ digestsToOpen[2] = proof.LRO[0]
+ digestsToOpen[3] = proof.LRO[1]
+ digestsToOpen[4] = proof.LRO[2]
+ digestsToOpen[5] = pk.Vk.S[0]
+ digestsToOpen[6] = pk.Vk.S[1]
+
proof.BatchedProof, err = kzg.BatchOpenSinglePoint(
- append(coefficients(pk.trace.Qcp),
- foldedH,
- linearizedPolynomialCanonical,
- bwliop.Coefficients()[:bwliop.BlindedSize()],
- bwriop.Coefficients()[:bwriop.BlindedSize()],
- bwoiop.Coefficients()[:bwoiop.BlindedSize()],
- pk.trace.S1.Coefficients(),
- pk.trace.S2.Coefficients(),
- ),
- append(pk.Vk.Qcp,
- foldedHDigest,
- linearizedPolynomialDigest,
- proof.LRO[0],
- proof.LRO[1],
- proof.LRO[2],
- pk.Vk.S[0],
- pk.Vk.S[1],
- ),
+ polysToOpen,
+ digestsToOpen,
zeta,
hFunc,
pk.Kzg,
diff --git a/backend/plonk/bn254/verify.go b/backend/plonk/bn254/verify.go
index f370459e8f..4820560fe5 100644
--- a/backend/plonk/bn254/verify.go
+++ b/backend/plonk/bn254/verify.go
@@ -139,16 +139,13 @@ func Verify(proof *Proof, vk *VerifyingKey, publicWitness fr.Vector) error {
zu := proof.ZShiftedOpening.ClaimedValue
- qC := make([]fr.Element, len(proof.Bsb22Commitments))
- copy(qC, proof.BatchedProof.ClaimedValues)
- claimedValues := proof.BatchedProof.ClaimedValues[len(proof.Bsb22Commitments):]
- claimedQuotient := claimedValues[0]
- linearizedPolynomialZeta := claimedValues[1]
- l := claimedValues[2]
- r := claimedValues[3]
- o := claimedValues[4]
- s1 := claimedValues[5]
- s2 := claimedValues[6]
+ claimedQuotient := proof.BatchedProof.ClaimedValues[0]
+ linearizedPolynomialZeta := proof.BatchedProof.ClaimedValues[1]
+ l := proof.BatchedProof.ClaimedValues[2]
+ r := proof.BatchedProof.ClaimedValues[3]
+ o := proof.BatchedProof.ClaimedValues[4]
+ s1 := proof.BatchedProof.ClaimedValues[5]
+ s2 := proof.BatchedProof.ClaimedValues[6]
_s1.Mul(&s1, &beta).Add(&_s1, &l).Add(&_s1, &gamma) // (l(ζ)+β*s1(ζ)+γ)
_s2.Mul(&s2, &beta).Add(&_s2, &r).Add(&_s2, &gamma) // (r(ζ)+β*s2(ζ)+γ)
@@ -222,6 +219,8 @@ func Verify(proof *Proof, vk *VerifyingKey, publicWitness fr.Vector) error {
vk.S[2], proof.Z, // second & third part
)
+ qC := make([]fr.Element, len(proof.Bsb22Commitments))
+ copy(qC, proof.BatchedProof.ClaimedValues[7:])
scalars := append(qC,
l, r, rl, o, one, /* TODO Perf @Tabaie Consider just adding Qk instead */ // first part
_s1, _s2, // second & third part
@@ -231,15 +230,17 @@ func Verify(proof *Proof, vk *VerifyingKey, publicWitness fr.Vector) error {
}
// Fold the first proof
- foldedProof, foldedDigest, err := kzg.FoldProof(append(vk.Qcp,
- foldedH,
- linearizedPolynomialDigest,
- proof.LRO[0],
- proof.LRO[1],
- proof.LRO[2],
- vk.S[0],
- vk.S[1],
- ),
+ digestsToFold := make([]curve.G1Affine, len(vk.Qcp)+7)
+ copy(digestsToFold[7:], vk.Qcp)
+ digestsToFold[0] = foldedH
+ digestsToFold[1] = linearizedPolynomialDigest
+ digestsToFold[2] = proof.LRO[0]
+ digestsToFold[3] = proof.LRO[1]
+ digestsToFold[4] = proof.LRO[2]
+ digestsToFold[5] = vk.S[0]
+ digestsToFold[6] = vk.S[1]
+ foldedProof, foldedDigest, err := kzg.FoldProof(
+ digestsToFold,
&proof.BatchedProof,
zeta,
hFunc,
diff --git a/backend/plonk/bw6-633/prove.go b/backend/plonk/bw6-633/prove.go
index 4155f7dc5f..ac9cf966e2 100644
--- a/backend/plonk/bw6-633/prove.go
+++ b/backend/plonk/bw6-633/prove.go
@@ -508,25 +508,32 @@ func Prove(spr *cs.SparseR1CS, pk *ProvingKey, fullWitness witness.Witness, opts
<-computeFoldedH
// Batch open the first list of polynomials
+ polysQcp := coefficients(pk.trace.Qcp)
+ polysToOpen := make([][]fr.Element, 7+len(polysQcp))
+ copy(polysToOpen[7:], polysQcp)
+ // offset := len(polysQcp)
+ polysToOpen[0] = foldedH
+ polysToOpen[1] = linearizedPolynomialCanonical
+ polysToOpen[2] = bwliop.Coefficients()[:bwliop.BlindedSize()]
+ polysToOpen[3] = bwriop.Coefficients()[:bwriop.BlindedSize()]
+ polysToOpen[4] = bwoiop.Coefficients()[:bwoiop.BlindedSize()]
+ polysToOpen[5] = pk.trace.S1.Coefficients()
+ polysToOpen[6] = pk.trace.S2.Coefficients()
+
+ digestsToOpen := make([]curve.G1Affine, len(pk.Vk.Qcp)+7)
+ copy(digestsToOpen[7:], pk.Vk.Qcp)
+ // offset = len(pk.Vk.Qcp)
+ digestsToOpen[0] = foldedHDigest
+ digestsToOpen[1] = linearizedPolynomialDigest
+ digestsToOpen[2] = proof.LRO[0]
+ digestsToOpen[3] = proof.LRO[1]
+ digestsToOpen[4] = proof.LRO[2]
+ digestsToOpen[5] = pk.Vk.S[0]
+ digestsToOpen[6] = pk.Vk.S[1]
+
proof.BatchedProof, err = kzg.BatchOpenSinglePoint(
- append(coefficients(pk.trace.Qcp),
- foldedH,
- linearizedPolynomialCanonical,
- bwliop.Coefficients()[:bwliop.BlindedSize()],
- bwriop.Coefficients()[:bwriop.BlindedSize()],
- bwoiop.Coefficients()[:bwoiop.BlindedSize()],
- pk.trace.S1.Coefficients(),
- pk.trace.S2.Coefficients(),
- ),
- append(pk.Vk.Qcp,
- foldedHDigest,
- linearizedPolynomialDigest,
- proof.LRO[0],
- proof.LRO[1],
- proof.LRO[2],
- pk.Vk.S[0],
- pk.Vk.S[1],
- ),
+ polysToOpen,
+ digestsToOpen,
zeta,
hFunc,
pk.Kzg,
diff --git a/backend/plonk/bw6-633/verify.go b/backend/plonk/bw6-633/verify.go
index 8f9c361479..63c4b1dbfb 100644
--- a/backend/plonk/bw6-633/verify.go
+++ b/backend/plonk/bw6-633/verify.go
@@ -39,7 +39,7 @@ var (
)
func Verify(proof *Proof, vk *VerifyingKey, publicWitness fr.Vector) error {
- log := logger.Logger().With().Str("curve", "bw6_633").Str("backend", "plonk").Logger()
+ log := logger.Logger().With().Str("curve", "bw6-633").Str("backend", "plonk").Logger()
start := time.Now()
// pick a hash function to derive the challenge (the same as in the prover)
@@ -137,16 +137,13 @@ func Verify(proof *Proof, vk *VerifyingKey, publicWitness fr.Vector) error {
zu := proof.ZShiftedOpening.ClaimedValue
- qC := make([]fr.Element, len(proof.Bsb22Commitments))
- copy(qC, proof.BatchedProof.ClaimedValues)
- claimedValues := proof.BatchedProof.ClaimedValues[len(proof.Bsb22Commitments):]
- claimedQuotient := claimedValues[0]
- linearizedPolynomialZeta := claimedValues[1]
- l := claimedValues[2]
- r := claimedValues[3]
- o := claimedValues[4]
- s1 := claimedValues[5]
- s2 := claimedValues[6]
+ claimedQuotient := proof.BatchedProof.ClaimedValues[0]
+ linearizedPolynomialZeta := proof.BatchedProof.ClaimedValues[1]
+ l := proof.BatchedProof.ClaimedValues[2]
+ r := proof.BatchedProof.ClaimedValues[3]
+ o := proof.BatchedProof.ClaimedValues[4]
+ s1 := proof.BatchedProof.ClaimedValues[5]
+ s2 := proof.BatchedProof.ClaimedValues[6]
_s1.Mul(&s1, &beta).Add(&_s1, &l).Add(&_s1, &gamma) // (l(ζ)+β*s1(ζ)+γ)
_s2.Mul(&s2, &beta).Add(&_s2, &r).Add(&_s2, &gamma) // (r(ζ)+β*s2(ζ)+γ)
@@ -220,6 +217,8 @@ func Verify(proof *Proof, vk *VerifyingKey, publicWitness fr.Vector) error {
vk.S[2], proof.Z, // second & third part
)
+ qC := make([]fr.Element, len(proof.Bsb22Commitments))
+ copy(qC, proof.BatchedProof.ClaimedValues[7:])
scalars := append(qC,
l, r, rl, o, one, /* TODO Perf @Tabaie Consider just adding Qk instead */ // first part
_s1, _s2, // second & third part
@@ -229,15 +228,17 @@ func Verify(proof *Proof, vk *VerifyingKey, publicWitness fr.Vector) error {
}
// Fold the first proof
- foldedProof, foldedDigest, err := kzg.FoldProof(append(vk.Qcp,
- foldedH,
- linearizedPolynomialDigest,
- proof.LRO[0],
- proof.LRO[1],
- proof.LRO[2],
- vk.S[0],
- vk.S[1],
- ),
+ digestsToFold := make([]curve.G1Affine, len(vk.Qcp)+7)
+ copy(digestsToFold[7:], vk.Qcp)
+ digestsToFold[0] = foldedH
+ digestsToFold[1] = linearizedPolynomialDigest
+ digestsToFold[2] = proof.LRO[0]
+ digestsToFold[3] = proof.LRO[1]
+ digestsToFold[4] = proof.LRO[2]
+ digestsToFold[5] = vk.S[0]
+ digestsToFold[6] = vk.S[1]
+ foldedProof, foldedDigest, err := kzg.FoldProof(
+ digestsToFold,
&proof.BatchedProof,
zeta,
hFunc,
diff --git a/backend/plonk/bw6-761/prove.go b/backend/plonk/bw6-761/prove.go
index d8e147ea0a..340a301ea5 100644
--- a/backend/plonk/bw6-761/prove.go
+++ b/backend/plonk/bw6-761/prove.go
@@ -508,25 +508,32 @@ func Prove(spr *cs.SparseR1CS, pk *ProvingKey, fullWitness witness.Witness, opts
<-computeFoldedH
// Batch open the first list of polynomials
+ polysQcp := coefficients(pk.trace.Qcp)
+ polysToOpen := make([][]fr.Element, 7+len(polysQcp))
+ copy(polysToOpen[7:], polysQcp)
+ // offset := len(polysQcp)
+ polysToOpen[0] = foldedH
+ polysToOpen[1] = linearizedPolynomialCanonical
+ polysToOpen[2] = bwliop.Coefficients()[:bwliop.BlindedSize()]
+ polysToOpen[3] = bwriop.Coefficients()[:bwriop.BlindedSize()]
+ polysToOpen[4] = bwoiop.Coefficients()[:bwoiop.BlindedSize()]
+ polysToOpen[5] = pk.trace.S1.Coefficients()
+ polysToOpen[6] = pk.trace.S2.Coefficients()
+
+ digestsToOpen := make([]curve.G1Affine, len(pk.Vk.Qcp)+7)
+ copy(digestsToOpen[7:], pk.Vk.Qcp)
+ // offset = len(pk.Vk.Qcp)
+ digestsToOpen[0] = foldedHDigest
+ digestsToOpen[1] = linearizedPolynomialDigest
+ digestsToOpen[2] = proof.LRO[0]
+ digestsToOpen[3] = proof.LRO[1]
+ digestsToOpen[4] = proof.LRO[2]
+ digestsToOpen[5] = pk.Vk.S[0]
+ digestsToOpen[6] = pk.Vk.S[1]
+
proof.BatchedProof, err = kzg.BatchOpenSinglePoint(
- append(coefficients(pk.trace.Qcp),
- foldedH,
- linearizedPolynomialCanonical,
- bwliop.Coefficients()[:bwliop.BlindedSize()],
- bwriop.Coefficients()[:bwriop.BlindedSize()],
- bwoiop.Coefficients()[:bwoiop.BlindedSize()],
- pk.trace.S1.Coefficients(),
- pk.trace.S2.Coefficients(),
- ),
- append(pk.Vk.Qcp,
- foldedHDigest,
- linearizedPolynomialDigest,
- proof.LRO[0],
- proof.LRO[1],
- proof.LRO[2],
- pk.Vk.S[0],
- pk.Vk.S[1],
- ),
+ polysToOpen,
+ digestsToOpen,
zeta,
hFunc,
pk.Kzg,
diff --git a/backend/plonk/bw6-761/verify.go b/backend/plonk/bw6-761/verify.go
index f9b2dad361..51c0719b8d 100644
--- a/backend/plonk/bw6-761/verify.go
+++ b/backend/plonk/bw6-761/verify.go
@@ -39,7 +39,7 @@ var (
)
func Verify(proof *Proof, vk *VerifyingKey, publicWitness fr.Vector) error {
- log := logger.Logger().With().Str("curve", "bw6_761").Str("backend", "plonk").Logger()
+ log := logger.Logger().With().Str("curve", "bw6-761").Str("backend", "plonk").Logger()
start := time.Now()
// pick a hash function to derive the challenge (the same as in the prover)
@@ -137,16 +137,13 @@ func Verify(proof *Proof, vk *VerifyingKey, publicWitness fr.Vector) error {
zu := proof.ZShiftedOpening.ClaimedValue
- qC := make([]fr.Element, len(proof.Bsb22Commitments))
- copy(qC, proof.BatchedProof.ClaimedValues)
- claimedValues := proof.BatchedProof.ClaimedValues[len(proof.Bsb22Commitments):]
- claimedQuotient := claimedValues[0]
- linearizedPolynomialZeta := claimedValues[1]
- l := claimedValues[2]
- r := claimedValues[3]
- o := claimedValues[4]
- s1 := claimedValues[5]
- s2 := claimedValues[6]
+ claimedQuotient := proof.BatchedProof.ClaimedValues[0]
+ linearizedPolynomialZeta := proof.BatchedProof.ClaimedValues[1]
+ l := proof.BatchedProof.ClaimedValues[2]
+ r := proof.BatchedProof.ClaimedValues[3]
+ o := proof.BatchedProof.ClaimedValues[4]
+ s1 := proof.BatchedProof.ClaimedValues[5]
+ s2 := proof.BatchedProof.ClaimedValues[6]
_s1.Mul(&s1, &beta).Add(&_s1, &l).Add(&_s1, &gamma) // (l(ζ)+β*s1(ζ)+γ)
_s2.Mul(&s2, &beta).Add(&_s2, &r).Add(&_s2, &gamma) // (r(ζ)+β*s2(ζ)+γ)
@@ -220,6 +217,8 @@ func Verify(proof *Proof, vk *VerifyingKey, publicWitness fr.Vector) error {
vk.S[2], proof.Z, // second & third part
)
+ qC := make([]fr.Element, len(proof.Bsb22Commitments))
+ copy(qC, proof.BatchedProof.ClaimedValues[7:])
scalars := append(qC,
l, r, rl, o, one, /* TODO Perf @Tabaie Consider just adding Qk instead */ // first part
_s1, _s2, // second & third part
@@ -229,15 +228,17 @@ func Verify(proof *Proof, vk *VerifyingKey, publicWitness fr.Vector) error {
}
// Fold the first proof
- foldedProof, foldedDigest, err := kzg.FoldProof(append(vk.Qcp,
- foldedH,
- linearizedPolynomialDigest,
- proof.LRO[0],
- proof.LRO[1],
- proof.LRO[2],
- vk.S[0],
- vk.S[1],
- ),
+ digestsToFold := make([]curve.G1Affine, len(vk.Qcp)+7)
+ copy(digestsToFold[7:], vk.Qcp)
+ digestsToFold[0] = foldedH
+ digestsToFold[1] = linearizedPolynomialDigest
+ digestsToFold[2] = proof.LRO[0]
+ digestsToFold[3] = proof.LRO[1]
+ digestsToFold[4] = proof.LRO[2]
+ digestsToFold[5] = vk.S[0]
+ digestsToFold[6] = vk.S[1]
+ foldedProof, foldedDigest, err := kzg.FoldProof(
+ digestsToFold,
&proof.BatchedProof,
zeta,
hFunc,
diff --git a/internal/generator/backend/template/zkpschemes/plonk/plonk.prove.go.tmpl b/internal/generator/backend/template/zkpschemes/plonk/plonk.prove.go.tmpl
index 44bf897328..d2034c03ea 100644
--- a/internal/generator/backend/template/zkpschemes/plonk/plonk.prove.go.tmpl
+++ b/internal/generator/backend/template/zkpschemes/plonk/plonk.prove.go.tmpl
@@ -133,7 +133,7 @@ func Prove(spr *cs.SparseR1CS, pk *ProvingKey, fullWitness witness.Witness, opts
// we keep in lagrange regular form since iop.BuildRatioCopyConstraint prefers it in this form.
wliop = iop.NewPolynomial(&evaluationLDomainSmall, lagReg)
// we set the underlying slice capacity to domain[1].Cardinality to minimize mem moves.
- bwliop = wliop.Clone(int(pk.Domain[1].Cardinality)).ToCanonical(&pk.Domain[0]).ToRegular().Blind(1)
+ bwliop = wliop.Clone(int(pk.Domain[1].Cardinality)).ToCanonical(&pk.Domain[0]).ToRegular().Blind(1)
wgLRO.Done()
}()
go func() {
@@ -147,13 +147,11 @@ func Prove(spr *cs.SparseR1CS, pk *ProvingKey, fullWitness witness.Witness, opts
wgLRO.Done()
}()
-
fw, ok := fullWitness.Vector().(fr.Vector)
if !ok {
return nil, witness.ErrInvalidWitness
}
-
// start computing lcqk
var lcqk *iop.Polynomial
chLcqk := make(chan struct{}, 1)
@@ -216,7 +214,6 @@ func Prove(spr *cs.SparseR1CS, pk *ProvingKey, fullWitness witness.Witness, opts
bwoiop.ToLagrangeCoset(&pk.Domain[1])
wgLRO.Done()
}()
-
// compute the copy constraint's ratio
// note that wliop, wriop and woiop are fft'ed (mutated) in the process.
@@ -260,7 +257,6 @@ func Prove(spr *cs.SparseR1CS, pk *ProvingKey, fullWitness witness.Witness, opts
chZ <- nil
close(chZ)
}()
-
// Full capture using latest gnark crypto...
fic := func(fql, fqr, fqm, fqo, fqk, l, r, o fr.Element, pi2QcPrime []fr.Element) fr.Element { // TODO @Tabaie make use of the fact that qCPrime is a selector: sparse and binary
@@ -283,7 +279,6 @@ func Prove(spr *cs.SparseR1CS, pk *ProvingKey, fullWitness witness.Witness, opts
return ic
}
-
fo := func(l, r, o, fid, fs1, fs2, fs3, fz, fzs fr.Element) fr.Element {
u := &pk.Domain[0].FrMultiplicativeGen
var a, b, tmp fr.Element
@@ -352,8 +347,7 @@ func Prove(spr *cs.SparseR1CS, pk *ProvingKey, fullWitness witness.Witness, opts
pk.lcQo,
lcqk,
pk.lLoneIOP,
-
- }
+ }
toEval = append(toEval, lcCommitments...) // TODO: Add this at beginning
toEval = append(toEval, pk.lcQcp...)
systemEvaluation, err := iop.Evaluate(fm, iop.Form{Basis: iop.LagrangeCoset, Layout: iop.BitReverse}, toEval...)
@@ -366,7 +360,6 @@ func Prove(spr *cs.SparseR1CS, pk *ProvingKey, fullWitness witness.Witness, opts
bwziop.ToCanonical(&pk.Domain[1]).ToRegular()
close(chbwzIOP)
}()
-
h, err := iop.DivideByXMinusOne(systemEvaluation, [2]*fft.Domain{&pk.Domain[0], &pk.Domain[1]}) // TODO Rename to DivideByXNMinusOne or DivideByVanishingPoly etc
if err != nil {
@@ -421,7 +414,6 @@ func Prove(spr *cs.SparseR1CS, pk *ProvingKey, fullWitness witness.Witness, opts
return nil, err
}
-
// start to compute foldedH and foldedHDigest while computeLinearizedPolynomial runs.
computeFoldedH := make(chan struct{}, 1)
var foldedH []fr.Element
@@ -456,7 +448,6 @@ func Prove(spr *cs.SparseR1CS, pk *ProvingKey, fullWitness witness.Witness, opts
wgEvals.Wait() // wait for the evaluations
-
var (
linearizedPolynomialCanonical []fr.Element
linearizedPolynomialDigest curve.G1Affine
@@ -486,35 +477,41 @@ func Prove(spr *cs.SparseR1CS, pk *ProvingKey, fullWitness witness.Witness, opts
// TODO this commitment is only necessary to derive the challenge, we should
// be able to avoid doing it and get the challenge in another way
- linearizedPolynomialDigest, errLPoly = kzg.Commit(linearizedPolynomialCanonical, pk.Kzg, runtime.NumCPU() * 2)
+ linearizedPolynomialDigest, errLPoly = kzg.Commit(linearizedPolynomialCanonical, pk.Kzg, runtime.NumCPU()*2)
if errLPoly != nil {
return nil, errLPoly
}
-
// wait for foldedH and foldedHDigest
<-computeFoldedH
// Batch open the first list of polynomials
+ polysQcp := coefficients(pk.trace.Qcp)
+ polysToOpen := make([][]fr.Element, 7+len(polysQcp))
+ copy(polysToOpen[7:], polysQcp)
+ // offset := len(polysQcp)
+ polysToOpen[0] = foldedH
+ polysToOpen[1] = linearizedPolynomialCanonical
+ polysToOpen[2] = bwliop.Coefficients()[:bwliop.BlindedSize()]
+ polysToOpen[3] = bwriop.Coefficients()[:bwriop.BlindedSize()]
+ polysToOpen[4] = bwoiop.Coefficients()[:bwoiop.BlindedSize()]
+ polysToOpen[5] = pk.trace.S1.Coefficients()
+ polysToOpen[6] = pk.trace.S2.Coefficients()
+
+ digestsToOpen := make([]curve.G1Affine, len(pk.Vk.Qcp)+7)
+ copy(digestsToOpen[7:], pk.Vk.Qcp)
+ // offset = len(pk.Vk.Qcp)
+ digestsToOpen[0] = foldedHDigest
+ digestsToOpen[1] = linearizedPolynomialDigest
+ digestsToOpen[2] = proof.LRO[0]
+ digestsToOpen[3] = proof.LRO[1]
+ digestsToOpen[4] = proof.LRO[2]
+ digestsToOpen[5] = pk.Vk.S[0]
+ digestsToOpen[6] = pk.Vk.S[1]
+
proof.BatchedProof, err = kzg.BatchOpenSinglePoint(
- append(coefficients(pk.trace.Qcp),
- foldedH,
- linearizedPolynomialCanonical,
- bwliop.Coefficients()[:bwliop.BlindedSize()],
- bwriop.Coefficients()[:bwriop.BlindedSize()],
- bwoiop.Coefficients()[:bwoiop.BlindedSize()],
- pk.trace.S1.Coefficients(),
- pk.trace.S2.Coefficients(),
- ),
- append(pk.Vk.Qcp,
- foldedHDigest,
- linearizedPolynomialDigest,
- proof.LRO[0],
- proof.LRO[1],
- proof.LRO[2],
- pk.Vk.S[0],
- pk.Vk.S[1],
- ),
+ polysToOpen,
+ digestsToOpen,
zeta,
hFunc,
pk.Kzg,
@@ -540,7 +537,7 @@ func coefficients(p []*iop.Polynomial) [][]fr.Element {
// fills proof.LRO with kzg commits of bcl, bcr and bco
func commitToLRO(bcl, bcr, bco []fr.Element, proof *Proof, kzgPk kzg.ProvingKey) error {
- n := runtime.NumCPU()
+ n := runtime.NumCPU()
var err0, err1, err2 error
chCommit0 := make(chan struct{}, 1)
chCommit1 := make(chan struct{}, 1)
@@ -566,7 +563,7 @@ func commitToLRO(bcl, bcr, bco []fr.Element, proof *Proof, kzgPk kzg.ProvingKey)
}
func commitToQuotient(h1, h2, h3 []fr.Element, proof *Proof, kzgPk kzg.ProvingKey) error {
- n := runtime.NumCPU()
+ n := runtime.NumCPU()
var err0, err1, err2 error
chCommit0 := make(chan struct{}, 1)
chCommit1 := make(chan struct{}, 1)
@@ -649,7 +646,6 @@ func computeLinearizedPolynomial(lZeta, rZeta, oZeta, alpha, beta, gamma, zeta,
Mul(&lagrangeZeta, &alpha).
Mul(&lagrangeZeta, &pk.Domain[0].CardinalityInv) // (1/n)*α²*L₁(ζ)
-
s3canonical := pk.trace.S3.Coefficients()
utils.Parallelize(len(blindedZCanonical), func(start, end int) {
@@ -697,4 +693,4 @@ func computeLinearizedPolynomial(lZeta, rZeta, oZeta, alpha, beta, gamma, zeta,
}
})
return blindedZCanonical
-}
\ No newline at end of file
+}
diff --git a/internal/generator/backend/template/zkpschemes/plonk/plonk.verify.go.tmpl b/internal/generator/backend/template/zkpschemes/plonk/plonk.verify.go.tmpl
index 7a2d582ce9..3ab826cedd 100644
--- a/internal/generator/backend/template/zkpschemes/plonk/plonk.verify.go.tmpl
+++ b/internal/generator/backend/template/zkpschemes/plonk/plonk.verify.go.tmpl
@@ -20,7 +20,7 @@ var (
)
func Verify(proof *Proof, vk *VerifyingKey, publicWitness fr.Vector) error {
- log := logger.Logger().With().Str("curve", "{{ toLower .CurveID }}").Str("backend", "plonk").Logger()
+ log := logger.Logger().With().Str("curve", "{{ toLower .Curve }}").Str("backend", "plonk").Logger()
start := time.Now()
// pick a hash function to derive the challenge (the same as in the prover)
@@ -103,10 +103,10 @@ func Verify(proof *Proof, vk *VerifyingKey, publicWitness fr.Vector) error {
den.Sub(&zeta, &wPowI) // ζ-wⁱ
lagrange.SetOne().
- Sub(&zeta, &lagrange). // ζ-1
- Mul(&lagrange, &wPowI). // wⁱ(ζ-1)
- Div(&lagrange, &den). // wⁱ(ζ-1)/(ζ-wⁱ)
- Mul(&lagrange, &lagrangeOne) // wⁱ/n (ζⁿ-1)/(ζ-wⁱ)
+ Sub(&zeta, &lagrange). // ζ-1
+ Mul(&lagrange, &wPowI). // wⁱ(ζ-1)
+ Div(&lagrange, &den). // wⁱ(ζ-1)/(ζ-wⁱ)
+ Mul(&lagrange, &lagrangeOne) // wⁱ/n (ζⁿ-1)/(ζ-wⁱ)
xiLi.Mul(&lagrange, &hashRes[0])
pi.Add(&pi, &xiLi)
@@ -118,16 +118,13 @@ func Verify(proof *Proof, vk *VerifyingKey, publicWitness fr.Vector) error {
zu := proof.ZShiftedOpening.ClaimedValue
- qC := make([]fr.Element, len(proof.Bsb22Commitments))
- copy(qC, proof.BatchedProof.ClaimedValues)
- claimedValues := proof.BatchedProof.ClaimedValues[len(proof.Bsb22Commitments):]
- claimedQuotient := claimedValues[0]
- linearizedPolynomialZeta := claimedValues[1]
- l := claimedValues[2]
- r := claimedValues[3]
- o := claimedValues[4]
- s1 := claimedValues[5]
- s2 := claimedValues[6]
+ claimedQuotient := proof.BatchedProof.ClaimedValues[0]
+ linearizedPolynomialZeta := proof.BatchedProof.ClaimedValues[1]
+ l := proof.BatchedProof.ClaimedValues[2]
+ r := proof.BatchedProof.ClaimedValues[3]
+ o := proof.BatchedProof.ClaimedValues[4]
+ s1 := proof.BatchedProof.ClaimedValues[5]
+ s2 := proof.BatchedProof.ClaimedValues[6]
_s1.Mul(&s1, &beta).Add(&_s1, &l).Add(&_s1, &gamma) // (l(ζ)+β*s1(ζ)+γ)
_s2.Mul(&s2, &beta).Add(&_s2, &r).Add(&_s2, &gamma) // (r(ζ)+β*s2(ζ)+γ)
@@ -201,8 +198,10 @@ func Verify(proof *Proof, vk *VerifyingKey, publicWitness fr.Vector) error {
vk.S[2], proof.Z, // second & third part
)
+ qC := make([]fr.Element, len(proof.Bsb22Commitments))
+ copy(qC, proof.BatchedProof.ClaimedValues[7:])
scalars := append(qC,
- l, r, rl, o, one /* TODO Perf @Tabaie Consider just adding Qk instead */, // first part
+ l, r, rl, o, one, /* TODO Perf @Tabaie Consider just adding Qk instead */ // first part
_s1, _s2, // second & third part
)
if _, err := linearizedPolynomialDigest.MultiExp(points, scalars, ecc.MultiExpConfig{}); err != nil {
@@ -210,15 +209,17 @@ func Verify(proof *Proof, vk *VerifyingKey, publicWitness fr.Vector) error {
}
// Fold the first proof
- foldedProof, foldedDigest, err := kzg.FoldProof(append(vk.Qcp,
- foldedH,
- linearizedPolynomialDigest,
- proof.LRO[0],
- proof.LRO[1],
- proof.LRO[2],
- vk.S[0],
- vk.S[1],
- ),
+ digestsToFold := make([]curve.G1Affine, len(vk.Qcp)+7)
+ copy(digestsToFold[7:], vk.Qcp)
+ digestsToFold[0] = foldedH
+ digestsToFold[1] = linearizedPolynomialDigest
+ digestsToFold[2] = proof.LRO[0]
+ digestsToFold[3] = proof.LRO[1]
+ digestsToFold[4] = proof.LRO[2]
+ digestsToFold[5] = vk.S[0]
+ digestsToFold[6] = vk.S[1]
+ foldedProof, foldedDigest, err := kzg.FoldProof(
+ digestsToFold,
&proof.BatchedProof,
zeta,
hFunc,
@@ -318,6 +319,7 @@ func deriveRandomness(fs *fiatshamir.Transcript, challenge string, points ...*cu
return r, nil
}
+
{{if eq .Curve "BN254"}}
// ExportSolidity exports the verifying key to a solidity smart contract.
//