From f2daf913159ff462827413723252f16def09e303 Mon Sep 17 00:00:00 2001
From: Sean Bowe <ewillbefull@gmail.com>
Date: Mon, 14 Feb 2022 09:30:43 -0700
Subject: [PATCH 1/2] halo2_proofs: change IPA check equation to match the book

The verifier's check in the inner product argument used to assume that the
G'_0 value had an additional (trivial) blinding factor term, which makes
it slightly easier to reason that it never is the point at infinity.
However, we never sample challenges that are zeroes (both for security
and completeness reasons) so this element would never be the point at
infinity anyway. Thus, we can simplify the check with the added benefit of
matching the book's description of the protocol.
---
 halo2_proofs/CHANGELOG.md                    |  4 ++++
 halo2_proofs/src/poly/commitment/verifier.rs | 16 ++++------------
 2 files changed, 8 insertions(+), 12 deletions(-)

diff --git a/halo2_proofs/CHANGELOG.md b/halo2_proofs/CHANGELOG.md
index 76ccbb0416..d698906b90 100644
--- a/halo2_proofs/CHANGELOG.md
+++ b/halo2_proofs/CHANGELOG.md
@@ -18,6 +18,10 @@ and this project adheres to Rust's notion of
 - `halo2_proofs::dev::FailureLocation` (used in `VerifyFailure::Lookup`)
 
 ### Changed
+- `halo2_proofs::commitment::verifier::Guard`, which is returned from
+  `halo2_proofs::plonk::verify_proof`, has changed so that values
+  returned from its method `compute_g` and expected in its method `use_g`
+  are not backwards compatible with values in previous versions.
 - `halo2_proofs::plonk::verify_proof` now takes a `VerificationStrategy` instead
   of an `MSM` directly.
 - `halo2_proofs` now depends on `rand_core` instead of `rand`.
diff --git a/halo2_proofs/src/poly/commitment/verifier.rs b/halo2_proofs/src/poly/commitment/verifier.rs
index c3defb2a55..3f1666338b 100644
--- a/halo2_proofs/src/poly/commitment/verifier.rs
+++ b/halo2_proofs/src/poly/commitment/verifier.rs
@@ -35,13 +35,12 @@ impl<'a, C: CurveAffine, E: EncodedChallenge<C>> Guard<'a, C, E> {
     pub fn use_challenges(mut self) -> MSM<'a, C> {
         let s = compute_s(&self.u, self.neg_c);
         self.msm.add_to_g_scalars(&s);
-        self.msm.add_to_w_scalar(self.neg_c);
 
         self.msm
     }
 
     /// Lets caller supply the purported G point and simply appends
-    /// [-a] G to return an updated MSM.
+    /// [-c] G to return an updated MSM.
     pub fn use_g(mut self, g: C) -> (MSM<'a, C>, Accumulator<C, E>) {
         self.msm.append_term(self.neg_c, g);
 
@@ -57,9 +56,7 @@ impl<'a, C: CurveAffine, E: EncodedChallenge<C>> Guard<'a, C, E> {
     pub fn compute_g(&self) -> C {
         let s = compute_s(&self.u, C::Scalar::one());
 
-        let mut tmp = best_multiexp(&s, &self.msm.params.g);
-        tmp += self.msm.params.w;
-        tmp.to_affine()
+        best_multiexp(&s, &self.msm.params.g).to_affine()
     }
 }
 
@@ -118,15 +115,10 @@ pub fn verify_proof<'a, C: CurveAffine, E: EncodedChallenge<C>, T: TranscriptRea
     // equals (given b = \mathbf{b}_0, and the prover's values c, f),
     // the right-hand side
     //   = [c] (G'_0 + [b * z] U) + [f] W
-    // except that we wish for the prover to supply G'_0 as Commit(g(X); 1) so
-    // we must substitute G'_0 with G'_0 - W to get
-    //   = [c] ((G'_0 - W) + [b * z] U) + [f] W
-    //   = [c] G'_0 + [-c] W + [cbz] U + [f] W
-    //   = [c] G'_0 + [cbz] U + [f - c] W
     // and then subtracting the right-hand side from both sides
     // to get
     //   P' + \sum([u_j^{-1}] L_j) + \sum([u_j] R_j)
-    //   + [-c] G'_0 + [-cbz] U + [c - f] W
+    //   + [-c] G'_0 + [-cbz] U + [-f] W
     //   = 0
 
     let c = transcript.read_scalar().map_err(|_| Error::SamplingError)?;
@@ -135,7 +127,7 @@ pub fn verify_proof<'a, C: CurveAffine, E: EncodedChallenge<C>, T: TranscriptRea
     let b = compute_b(x, &u);
 
     msm.add_to_u_scalar(neg_c * &b * &z);
-    msm.add_to_w_scalar(c - &f);
+    msm.add_to_w_scalar(-f);
 
     let guard = Guard {
         msm,

From 0b73c74f728428ed7b508617d839ca500d76b549 Mon Sep 17 00:00:00 2001
From: Sean Bowe <ewillbefull@gmail.com>
Date: Mon, 14 Feb 2022 10:44:14 -0700
Subject: [PATCH 2/2] Address comments brought up by @str4d.

---
 halo2_proofs/src/poly/commitment/verifier.rs | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/halo2_proofs/src/poly/commitment/verifier.rs b/halo2_proofs/src/poly/commitment/verifier.rs
index 3f1666338b..e1c813dd3a 100644
--- a/halo2_proofs/src/poly/commitment/verifier.rs
+++ b/halo2_proofs/src/poly/commitment/verifier.rs
@@ -52,7 +52,7 @@ impl<'a, C: CurveAffine, E: EncodedChallenge<C>> Guard<'a, C, E> {
         (self.msm, accumulator)
     }
 
-    /// Computes G + W, where G = ⟨s, params.g⟩ and W is used for blinding
+    /// Computes G = ⟨s, params.g⟩
     pub fn compute_g(&self) -> C {
         let s = compute_s(&self.u, C::Scalar::one());
 
@@ -115,8 +115,7 @@ pub fn verify_proof<'a, C: CurveAffine, E: EncodedChallenge<C>, T: TranscriptRea
     // equals (given b = \mathbf{b}_0, and the prover's values c, f),
     // the right-hand side
     //   = [c] (G'_0 + [b * z] U) + [f] W
-    // and then subtracting the right-hand side from both sides
-    // to get
+    // Subtracting the right-hand side from both sides we get
     //   P' + \sum([u_j^{-1}] L_j) + \sum([u_j] R_j)
     //   + [-c] G'_0 + [-cbz] U + [-f] W
     //   = 0