WIP permutation checks in verifier

2020-09-01 13:06:25 +08:00 · 2020-09-01 13:06:25 +08:00 · 2472ec3291
parent 0bf73c5d08
commit 2472ec3291
3 changed files with 49 additions and 0 deletions
--- a/src/plonk.rs
+++ b/src/plonk.rs
@ -44,6 +44,10 @@ pub struct SRS<C: CurveAffine> {
 pub struct Proof<C: CurveAffine> {
    advice_commitments: Vec<C>,
    h_commitments: Vec<C>,
+    permutation_product_commitments: Vec<C>,
+    permutation_product_evals: Vec<C::Scalar>,
+    permutation_product_inv_evals: Vec<C::Scalar>,
+    permutation_evals: Vec<C::Scalar>,
    advice_evals: Vec<C::Scalar>,
    fixed_evals: Vec<C::Scalar>,
    h_evals: Vec<C::Scalar>,
--- a/src/plonk/prover.rs
+++ b/src/plonk/prover.rs
@ -111,6 +111,12 @@ impl<C: CurveAffine> Proof<C> {
            })
            .collect();

+        // Sample x_0 challenge
+        let x_0: C::Scalar = get_challenge_scalar(Challenge(transcript.squeeze().get_lower_128()));
+
+        // Sample x_1 challenge
+        let x_1: C::Scalar = get_challenge_scalar(Challenge(transcript.squeeze().get_lower_128()));
+
        // Obtain challenge for keeping all separate gates linearly independent
        let x_2: C::Scalar = get_challenge_scalar(Challenge(transcript.squeeze().get_lower_128()));

@ -369,6 +375,10 @@ impl<C: CurveAffine> Proof<C> {
        Ok(Proof {
            advice_commitments,
            h_commitments,
+            permutation_product_commitments: vec![C::default(); params.n as usize],
+            permutation_product_evals: vec![C::Scalar::one(); params.n as usize],
+            permutation_product_inv_evals: vec![C::Scalar::one(); params.n as usize],
+            permutation_evals: vec![C::Scalar::one(); params.n as usize],
            advice_evals,
            fixed_evals,
            h_evals,
--- a/src/plonk/verifier.rs
+++ b/src/plonk/verifier.rs
@ -19,6 +19,41 @@ impl<C: CurveAffine> Proof<C> {
                .expect("proof cannot contain points at infinity");
        }

+        // Sample x_0 challenge
+        let x_0: C::Scalar = get_challenge_scalar(Challenge(transcript.squeeze().get_lower_128()));
+
+        // Sample x_1 challenge
+        let x_1: C::Scalar = get_challenge_scalar(Challenge(transcript.squeeze().get_lower_128()));
+
+        // Check permutations
+        // Compute [omega^0, omega^1, ..., omega^{params.n - 1}]
+        let mut omega_powers = Vec::with_capacity(params.n as usize);
+        {
+            let mut cur = C::Scalar::one();
+            for _ in 0..params.n {
+                omega_powers.push(cur);
+                cur *= &srs.domain.get_omega();
+            }
+        }
+
+        // For each permutation
+        for perm in &srs.meta.permutations {
+            // Check permutation condition on all points
+            for i in 0..params.n as usize {
+                let left_perm_eval = self.permutation_product_inv_evals[i];
+                let right_perm_eval = self.permutation_product_evals[i];
+
+                for wire in perm {
+                    // z(\omega^{-1} X) (a(X) + \beta X + \gamma) (b(X) + \delta \beta X + \gamma) (c(X) + \delta^2 \beta X + \gamma)
+
+                    // z(X) (a(X) + \beta s_a(X) + \gamma) (b(X) + \beta s_b(X) + \gamma) (c(X) + \beta s_c(X) + \gamma)
+                }
+                if left_perm_eval != right_perm_eval {
+                    return false;
+                }
+            }
+        }
+
        // Sample x_2 challenge, which keeps the gates linearly independent.
        let x_2: C::Scalar = get_challenge_scalar(Challenge(transcript.squeeze().get_lower_128()));