plonk: replaced structure transcript_hash_t with class transcript_has…

…her that makes a call to hash function. for the moment it directly returns the expected hash values for the purposes of testing. addresses issue #56.

libsnark/zk_proof_systems/plonk/prover.hpp

@@ -461,23 +461,16 @@ template<typename ppT> class plonk_prover
     /// \param[in] blind_scalars: random blinding scalars b1, b2, ..., b9
     ///            used in prover rounds 1 and 2 (see Sect. 8.3, roumds
     ///            1,2 [GWC19])
-    /// \param[in] transcript_hash: hashes of the communication transcript
-    ///            after prover rounds 1,2,3,4,5. TODO: \attention
-    ///            currently the structure is used as an input initialized
-    ///            with hard-coded example values for debug purposes. In
-    ///            the long run it should be modified to be used as an
-    ///            output. More specifically, the hard-coded values should
-    ///            be overwritten with the actual transcript hashes
-    ///            produced after the respective rounds within \ref
-    ///            compute_proof
+    /// \param[in] transcript_hasher: hashes of the communication
+    ///            transcript after prover rounds 1,2,3,4,5.
     ///
     /// OUTPUT
     /// \param[out] proof: SNARK proof Pi (see above)
     static plonk_proof<ppT> compute_proof(
         const srs<ppT> &srs,
         const std::vector<Field> &witness,
         const std::vector<libff::Fr<ppT>> &blind_scalars,
-        transcript_hash_t<ppT> &transcript_hash);
+        transcript_hasher<ppT> &hasher);
 };
 
 } // namespace libsnark

libsnark/zk_proof_systems/plonk/prover.tcc

@@ -998,15 +998,8 @@ plonk_proof<ppT>::plonk_proof(
 /// \param[in] blind_scalars: random blinding scalars b1, b2, ..., b9
 ///            used in prover rounds 1 and 2 (see Sect. 8.3, roumds
 ///            1,2 [GWC19])
-/// \param[in] transcript_hash: hashes of the communication transcript
-///            after prover rounds 1,2,3,4,5. TODO: \attention
-///            currently the structure is used as an input initialized
-///            with hard-coded example values for debug purposes. In
-///            the long run it should be modified to be used as an
-///            output. More specifically, the hard-coded values should
-///            be overwritten with the actual transcript hashes
-///            produced after the respective rounds within \ref
-///            compute_proof
+/// \param[in] transcript_hasher: hashes of the communication
+///            transcript after prover rounds 1,2,3,4,5.
 ///
 /// OUTPUT
 /// \param[out] proof: SNARK proof Pi (see above)
@@ -1015,7 +1008,7 @@ plonk_proof<ppT> plonk_prover<ppT>::compute_proof(
     const srs<ppT> &srs,
     const std::vector<Field> &witness,
     const std::vector<libff::Fr<ppT>> &blind_scalars,
-    transcript_hash_t<ppT> &transcript_hash)
+    transcript_hasher<ppT> &hasher)
 {
     // Prover Round 0 (initialization)
     printf("[%s:%d] Prover Round 0...\n", __FILE__, __LINE__);
@@ -1028,27 +1021,28 @@ plonk_proof<ppT> plonk_prover<ppT>::compute_proof(
 
     printf("[%s:%d] Prover Round 2...\n", __FILE__, __LINE__);
     // - beta, gamma: permutation challenges - hashes of transcript of round 1
-    const libff::Fr<ppT> beta = transcript_hash.beta;
-    const libff::Fr<ppT> gamma = transcript_hash.gamma;
+    const libff::Fr<ppT> beta = hasher.get_hash();
+    const libff::Fr<ppT> gamma = hasher.get_hash();
+
     round_two_out_t<ppT> round_two_out = plonk_prover::round_two(
         beta, gamma, round_zero_out, blind_scalars, witness, srs);
 
     printf("[%s:%d] Prover Round 3...\n", __FILE__, __LINE__);
     // - alpha: quotient challenge - hash of transcript of rounds 1,2
-    libff::Fr<ppT> alpha = transcript_hash.alpha;
+    const libff::Fr<ppT> alpha = hasher.get_hash();
     round_three_out_t<ppT> round_three_out = plonk_prover::round_three(
         alpha, beta, gamma, round_zero_out, round_one_out, round_two_out, srs);
 
     printf("[%s:%d] Prover Round 4...\n", __FILE__, __LINE__);
     // - zeta: evaluation challenge - hash of transcriptof rounds 1,2,3
-    libff::Fr<ppT> zeta = transcript_hash.zeta;
+    const libff::Fr<ppT> zeta = hasher.get_hash();
     round_four_out_t<ppT> round_four_out =
         plonk_prover::round_four(zeta, round_one_out, round_three_out, srs);
 
     printf("[%s:%d] Prover Round 5...\n", __FILE__, __LINE__);
     /// - nu: opening challenge -- hash of transcript (denoted by v in
     ///   [GWC19])
-    libff::Fr<ppT> nu = transcript_hash.nu;
+    const libff::Fr<ppT> nu = hasher.get_hash();
     round_five_out_t<ppT> round_five_out = plonk_prover::round_five(
         alpha,
         beta,
@@ -1064,10 +1058,15 @@ plonk_proof<ppT> plonk_prover<ppT>::compute_proof(
 
     // TODO: activate this part when we implement actual hashing of
     // communication transcripts
-#if 0    
+#if 0
     // u: multipoint evaluation challenge -- hash of transcript from
     // rounds 1,2,3,4,5
-    libff::Fr<ppT> u = transcript_hash.u;
+    const libff::Fr<ppT> u = hasher.get_hash();
+#else
+    // do the hash anyway in order to keep the correct count of the
+    // hasher istep member (which resets to 0 only after the last hash
+    // is performed which is hash of u)
+    hasher.get_hash();
 #endif
 
     // construct proof

libsnark/zk_proof_systems/plonk/srs.hpp

@@ -179,32 +179,22 @@ template<typename ppT> class plonk_keypair
     plonk_keypair(plonk_keypair<ppT> &&other) = default;
 };
 
-/// Hashes of transcript after prover rounds 1,2,3,4,5
-template<typename ppT> struct transcript_hash_t {
-
-    /// - beta: permutation challenge - hashes of transcript after round 1
-    libff::Fr<ppT> beta;
-    /// - gamma: permutation challenge - hashes of transcript after round 1
-    libff::Fr<ppT> gamma;
-    /// - alpha: quotient challenge - hash of transcript after rounds 1,2
-    libff::Fr<ppT> alpha;
-    /// - zeta: evaluation challenge - hash of transcriptafter rounds 1,2,3
-    libff::Fr<ppT> zeta;
-    /// - nu: opening challenge - hash of transcript after rounds 1,2,3,4
-    /// (denoted by v in [GWC19])
-    libff::Fr<ppT> nu;
-    /// - u: multipoint evaluation challenge -- hash of transcript after rounds
-    /// 1,2,3,4,5
-    libff::Fr<ppT> u;
-
-    /// struct constructor
-    transcript_hash_t(
-        libff::Fr<ppT> &beta,
-        libff::Fr<ppT> &gamma,
-        libff::Fr<ppT> &alpha,
-        libff::Fr<ppT> &zeta,
-        libff::Fr<ppT> &nu,
-        libff::Fr<ppT> &u);
+/// transcript hasher interface
+template<typename ppT> class transcript_hasher
+{
+private:
+    // the current step of the hasher
+    size_t istep;
+
+public:
+    void add_element(const libff::Fr<ppT> &element);
+    void add_element(const libff::G1<ppT> &element);
+    void add_element(const libff::G2<ppT> &element);
+
+    libff::Fr<ppT> get_hash();
+
+    // constructor
+    transcript_hasher(size_t &istep);
 };
 
 } // namespace libsnark

libsnark/zk_proof_systems/plonk/srs.tcc

@@ -70,19 +70,68 @@ plonk_keypair<ppT>::plonk_keypair(
 {
 }
 
-/// struct transcript_hash_t constructor
+/// transcript_hasher constructor
 template<typename ppT>
-transcript_hash_t<ppT>::transcript_hash_t(
-    libff::Fr<ppT> &beta,
-    libff::Fr<ppT> &gamma,
-    libff::Fr<ppT> &alpha,
-    libff::Fr<ppT> &zeta,
-    libff::Fr<ppT> &nu,
-    libff::Fr<ppT> &u)
-    : beta(beta), gamma(gamma), alpha(alpha), zeta(zeta), nu(nu), u(u)
+transcript_hasher<ppT>::transcript_hasher(size_t &istep) : istep(istep)
 {
 }
 
+/// dummy implementation of get_hash that directly returns the
+/// expected hard-coded hashes for the purposes of unit testing TODO
+/// to be replaced by a call to a proper hash function e.g. SHA2,
+/// BLAKE, etc.
+template<typename ppT> libff::Fr<ppT> transcript_hasher<ppT>::get_hash()
+{
+    assert((this->istep >= 0) && (this->istep <= 5));
+    using Field = libff::Fr<ppT>;
+
+    Field beta = Field("3710899868510394644410941212967766116886736137326022751"
+                       "891187938298987182388");
+    Field gamma = Field("110379303840831945879077096653321168432672740458288022"
+                        "49545114995763715746939");
+    Field alpha = Field("379799789992747238930717819864848384921111623418803600"
+                        "22719385400306128734648");
+    Field zeta = Field("4327197228921839935583364394550235027071910395980312641"
+                       "5018065799136107272465");
+    Field nu = Field("275158598338697752421507265080923414294782807831923791651"
+                     "55175653098691426347");
+    Field u = Field("1781751143954696684632449211212056577828855388109883650570"
+                    "6049265393896966778");
+    if (this->istep == 0) {
+        printf("[%s:%d] istep %d\n", __FILE__, __LINE__, (int)istep);
+        this->istep++;
+        return beta;
+    }
+    if (this->istep == 1) {
+        printf("[%s:%d] istep %d\n", __FILE__, __LINE__, (int)istep);
+        this->istep++;
+        return gamma;
+    }
+    if (this->istep == 2) {
+        printf("[%s:%d] istep %d\n", __FILE__, __LINE__, (int)istep);
+        this->istep++;
+        return alpha;
+    }
+    if (this->istep == 3) {
+        printf("[%s:%d] istep %d\n", __FILE__, __LINE__, (int)istep);
+        this->istep++;
+        return zeta;
+    }
+    if (this->istep == 4) {
+        printf("[%s:%d] istep %d\n", __FILE__, __LINE__, (int)istep);
+        this->istep++;
+        return nu;
+    }
+    if (this->istep == 5) {
+        // reset step to 0
+        printf("[%s:%d] istep %d\n", __FILE__, __LINE__, (int)istep);
+        this->istep = 0;
+        return u;
+    }
+    // error
+    return 0;
+}
+
 /// Compute a universal srs (usrs). It is composed *only* of encoded
 /// powers of the secret value in the group generator. Therefore a usrs
 /// is independent of any particular circuit.