From 2472ec32910d34fcfb660be79bd68b5b621bc5ce Mon Sep 17 00:00:00 2001
From: therealyingtong <yingtong@electriccoin.co>
Date: Tue, 1 Sep 2020 13:06:25 +0800
Subject: [PATCH] WIP permutation checks in verifier

---
 src/plonk.rs          |  4 ++++
 src/plonk/prover.rs   | 10 ++++++++++
 src/plonk/verifier.rs | 35 +++++++++++++++++++++++++++++++++++
 3 files changed, 49 insertions(+)

diff --git a/src/plonk.rs b/src/plonk.rs
index f71ecf75..fd72bdeb 100644
--- a/src/plonk.rs
+++ b/src/plonk.rs
@@ -44,6 +44,10 @@ pub struct SRS<C: CurveAffine> {
 pub struct Proof<C: CurveAffine> {
     advice_commitments: Vec<C>,
     h_commitments: Vec<C>,
+    permutation_product_commitments: Vec<C>,
+    permutation_product_evals: Vec<C::Scalar>,
+    permutation_product_inv_evals: Vec<C::Scalar>,
+    permutation_evals: Vec<C::Scalar>,
     advice_evals: Vec<C::Scalar>,
     fixed_evals: Vec<C::Scalar>,
     h_evals: Vec<C::Scalar>,
diff --git a/src/plonk/prover.rs b/src/plonk/prover.rs
index 8ac627e9..f4081a9b 100644
--- a/src/plonk/prover.rs
+++ b/src/plonk/prover.rs
@@ -111,6 +111,12 @@ impl<C: CurveAffine> Proof<C> {
             })
             .collect();
 
+        // Sample x_0 challenge
+        let x_0: C::Scalar = get_challenge_scalar(Challenge(transcript.squeeze().get_lower_128()));
+
+        // Sample x_1 challenge
+        let x_1: C::Scalar = get_challenge_scalar(Challenge(transcript.squeeze().get_lower_128()));
+
         // Obtain challenge for keeping all separate gates linearly independent
         let x_2: C::Scalar = get_challenge_scalar(Challenge(transcript.squeeze().get_lower_128()));
 
@@ -369,6 +375,10 @@ impl<C: CurveAffine> Proof<C> {
         Ok(Proof {
             advice_commitments,
             h_commitments,
+            permutation_product_commitments: vec![C::default(); params.n as usize],
+            permutation_product_evals: vec![C::Scalar::one(); params.n as usize],
+            permutation_product_inv_evals: vec![C::Scalar::one(); params.n as usize],
+            permutation_evals: vec![C::Scalar::one(); params.n as usize],
             advice_evals,
             fixed_evals,
             h_evals,
diff --git a/src/plonk/verifier.rs b/src/plonk/verifier.rs
index d8560d17..37083f0b 100644
--- a/src/plonk/verifier.rs
+++ b/src/plonk/verifier.rs
@@ -19,6 +19,41 @@ impl<C: CurveAffine> Proof<C> {
                 .expect("proof cannot contain points at infinity");
         }
 
+        // Sample x_0 challenge
+        let x_0: C::Scalar = get_challenge_scalar(Challenge(transcript.squeeze().get_lower_128()));
+
+        // Sample x_1 challenge
+        let x_1: C::Scalar = get_challenge_scalar(Challenge(transcript.squeeze().get_lower_128()));
+
+        // Check permutations
+        // Compute [omega^0, omega^1, ..., omega^{params.n - 1}]
+        let mut omega_powers = Vec::with_capacity(params.n as usize);
+        {
+            let mut cur = C::Scalar::one();
+            for _ in 0..params.n {
+                omega_powers.push(cur);
+                cur *= &srs.domain.get_omega();
+            }
+        }
+
+        // For each permutation
+        for perm in &srs.meta.permutations {
+            // Check permutation condition on all points
+            for i in 0..params.n as usize {
+                let left_perm_eval = self.permutation_product_inv_evals[i];
+                let right_perm_eval = self.permutation_product_evals[i];
+
+                for wire in perm {
+                    // z(\omega^{-1} X) (a(X) + \beta X + \gamma) (b(X) + \delta \beta X + \gamma) (c(X) + \delta^2 \beta X + \gamma)
+
+                    // z(X) (a(X) + \beta s_a(X) + \gamma) (b(X) + \beta s_b(X) + \gamma) (c(X) + \beta s_c(X) + \gamma)
+                }
+                if left_perm_eval != right_perm_eval {
+                    return false;
+                }
+            }
+        }
+
         // Sample x_2 challenge, which keeps the gates linearly independent.
         let x_2: C::Scalar = get_challenge_scalar(Challenge(transcript.squeeze().get_lower_128()));